Tal<p>This <a href="https://infosec.exchange/tags/defcon" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>defcon</span></a> is going to be spoooooky~ 👻</p><p>In a little over 3 weeks, I'm going to deep dive into the <a href="https://infosec.exchange/tags/GhostToken" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GhostToken</span></a> 0-day vulnerability at <span class="h-card" translate="no"><a href="https://defcon.social/@defcon" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>defcon</span></a></span>, and the faults in the <a href="https://infosec.exchange/tags/OAuth" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OAuth</span></a> protocol that led to it. </p><p>Hope to you see there, Aug 11, 12pm!</p>
Recent searches
No recent searches
Search options
Only available when logged in.
social.tchncs.de is one of the many independent Mastodon servers you can use to participate in the fediverse.
A friendly server from Germany – which tends to attract techy people, but welcomes everybody. This is one of the oldest Mastodon instances.
Administered by:
Server stats:
3.8Kactive users
social.tchncs.de: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.7
#GhostToken
0 posts · 0 participants · 0 posts today
Tarnkappe.info<p>📬 GhostToken ließ Hacker in Deinem Google-Konto schnüffeln<br /><a href="https://social.tchncs.de/tags/ITSicherheit" class="mention hashtag" rel="tag">#<span>ITSicherheit</span></a> <a href="https://social.tchncs.de/tags/GhostToken" class="mention hashtag" rel="tag">#<span>GhostToken</span></a> <a href="https://social.tchncs.de/tags/GMail" class="mention hashtag" rel="tag">#<span>GMail</span></a> <a href="https://social.tchncs.de/tags/GoogleCloudPlatform" class="mention hashtag" rel="tag">#<span>GoogleCloudPlatform</span></a> <a href="https://social.tchncs.de/tags/GoogleDrive" class="mention hashtag" rel="tag">#<span>GoogleDrive</span></a> <a href="https://social.tchncs.de/tags/GoogleFotos" class="mention hashtag" rel="tag">#<span>GoogleFotos</span></a> <a href="https://social.tchncs.de/tags/GoogleKalender" class="mention hashtag" rel="tag">#<span>GoogleKalender</span></a> <a href="https://social.tchncs.de/tags/GoogleMaps" class="mention hashtag" rel="tag">#<span>GoogleMaps</span></a> <a href="https://social.tchncs.de/tags/OAuth" class="mention hashtag" rel="tag">#<span>OAuth</span></a> <a href="https://social.tchncs.de/tags/Phishing" class="mention hashtag" rel="tag">#<span>Phishing</span></a> <a href="https://social.tchncs.de/tags/Sicherheitsl%C3%BCcke" class="mention hashtag" rel="tag">#<span>Sicherheitslücke</span></a> <a href="https://tarnkappe.info/artikel/it-sicherheit/ghosttoken-liess-hacker-in-deinem-google-konto-schnueffeln-273327.html" target="_blank" rel="nofollow noopener noreferrer" translate="no"><span class="invisible">https://</span><span class="ellipsis">tarnkappe.info/artikel/it-sich</span><span class="invisible">erheit/ghosttoken-liess-hacker-in-deinem-google-konto-schnueffeln-273327.html</span></a></p>
Tal<p>The research team in Astrix uncovered <a href="https://infosec.exchange/tags/GhostToken" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GhostToken</span></a> - a 0-day <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>vulnerability</span></a> in Google Cloud Platform (<a href="https://infosec.exchange/tags/GCP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GCP</span></a>) allowing malicious <a href="https://infosec.exchange/tags/OAuth" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OAuth</span></a> apps to become unremovable for Google users who installed them.</p><p>We had disclosed the vulnerability to Google who recently rolled out a patch for all users. <br>I've written a technical blog where you can read how we found the vulnerability and exploited it: <br><a href="https://astrix.security/ghosttoken-exploiting-gcp-application-infrastructure-to-create-invisible-unremovable-trojan-app-on-google-accounts/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">astrix.security/ghosttoken-exp</span><span class="invisible">loiting-gcp-application-infrastructure-to-create-invisible-unremovable-trojan-app-on-google-accounts/</span></a></p><p>For those who are tight on time, the issue resides in the fact that any Google OAuth application is forcibly tied to a single GCP project. This supposedly makes easier to use any of GCP's services to develop OAuth apps.<br>However, we discovered that when the project associated with an OAuth app is deleted, the app enters a "limbo" state, being hidden from the user's management page (and thus unremovable), while its OAuth tokens are not revoked.</p><p>This primitive can be turned into an attack flow (as described in the blog), where an attacker controlling a malicious app can access the user's data without the user being able to revoke the access.</p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload