This #defcon is going to be spoooooky~ 👻

In a little over 3 weeks, I'm going to deep dive into the #GhostToken 0-day vulnerability at @defcon, and the faults in the #OAuth protocol that led to it.

Hope to you see there, Aug 11, 12pm!

Astrix #InfoSec researchers warn of Google #GhostToken - possibility of #OAuth devs to create trojan apps that are unremovable and invisible to Google account holders

https://astrix.security/ghosttoken-exploiting-gcp-application-infrastructure-to-create-invisible-unremovable-trojan-app-on-google-accounts/

The research team in Astrix uncovered #GhostToken - a 0-day #vulnerability in Google Cloud Platform (#GCP) allowing malicious #OAuth apps to become unremovable for Google users who installed them.

We had disclosed the vulnerability to Google who recently rolled out a patch for all users.
I've written a technical blog where you can read how we found the vulnerability and exploited it:
https://astrix.security/ghosttoken-exploiting-gcp-application-infrastructure-to-create-invisible-unremovable-trojan-app-on-google-accounts/

For those who are tight on time, the issue resides in the fact that any Google OAuth application is forcibly tied to a single GCP project. This supposedly makes easier to use any of GCP's services to develop OAuth apps.
However, we discovered that when the project associated with an OAuth app is deleted, the app enters a "limbo" state, being hidden from the user's management page (and thus unremovable), while its OAuth tokens are not revoked.

This primitive can be turned into an attack flow (as described in the blog), where an attacker controlling a malicious app can access the user's data without the user being able to revoke the access.