Google Apps Script Vulnerability Gives Opportunities to Hackers

Vulnerability Provides Hackers

A new vulnerability in Google App Scripts has opened the door to new possibilities for cyber criminals.

Researchers at cybersecurity firm Proofpoint have discovered a new way of exploiting Google App Scripts and thus deliver malware via URLs.

A detailed post on the official Proofpoint blog discusses this; the blog post says- “Software-as-a-Service (SaaS) applications have become mainstays of modern business and consumer computing. However, they are also quickly becoming the latest frontier of innovation for threat actors looking for new opportunities to distribute malware, steal credentials, and more. Proofpoint researchers identified a vulnerability that allowed attackers to leverage Google Apps Script to automatically download arbitrary malware hosted in Google Drive to a victim’s computer.”

The post further says- “Google Apps Script is a development platform based on JavaScript that allows both the creation of standalone web apps and powerful extensions to various elements of the Google Apps SaaS ecosystem. Proofpoint research has found that Google Apps Script and the normal document sharing capabilities built into Google Apps supported automatic malware downloads and sophisticated social engineering schemes designed to convince recipients to execute the malware once it has been downloaded. We also confirmed that it was possible to trigger exploits with this type of attack without user interaction, making it more urgent that organizations mitigated these threats before they reach end users, whenever possible.”

Proofpoint pointed out the vulnerability to Google; Google then added some specific restrictions on those Apps Script events that could potentially be exploited. Proofpoint presented the proof of concept to Google and also presented it at the DeepSec Conference, thereby demonstrating “the ability of threat actors to use extensible SaaS platforms to deliver malware to unsuspecting victims in even more powerful ways than they have with Microsoft Office macros over the last several years.” Proofpoint researchers feel that cyber criminals would attempt to exploit these new opportunities more often as there are very few defensive tools that protect organizations/individuals against such kinds of threats.

Proofpoint outlines how the proof of concept test was done to uncover the pos vulnerability. First, the malware executables were uploaded to Google Drive, to which hackers could create a public link. The next step was the threat actors sharing an arbitrary Google Doc, which could be used as a lure and vehicle for the Google Apps Script that would deliver the shared malware. The Proofpoint blog says- ” While we frequently observe Google Docs phishing and malware distribution via links to Google Drive URLs, extensible SaaS platforms allow greater degrees of sophistication, malware propagation, and automation that are also much more difficult to detect.”

Businesses and individuals need to guard themselves against such attacks; using a SaaS application like Google Drive ends us creating a new attack surface for threat actors. The fact is that most people won’t realize that a Google doc holds potential danger. Anyhow, this kind of attack can be prevented by adopting the same defensive measures that are used to prevent email-based phishing attacks. As already mentioned, hackers would tend to use this methodology more often because on the one hand defensive tools against such attacks are limited and on the other hand SaaS application attacks are much easier to assemble when compared to attacks that use macros.


Leave a Comment


Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password