Summary
Google users can find and install third-party OAuth applications from Google Marketplace that are integrated with Google Workspace.
Each OAuth application client in Google is associated with a GCP project. A bug in the way a GCP project enters a "pending deletion"
state when deleted, could have allowed threat actors to make a malicious application invisible and unremovable from the user's account.
If an attacker had managed to install an application in an account (e.g., through a phishing attack), they could have exploited this
vulnerability to hide their activity from the target user. Depending on the permissions of the malicious application, the attacker
could have silently gained access to sensitive information such as private Gmail correspondences, personal files and planned events
within the the victim's google account, as well as any GCP resources the user had access to.
Affected Services
N/A
Remediation
It is recommended that Google users go to the "Apps with access to you account" page and verify that they are familiar
with all authorized third-party apps, and that each has the minimal needed permissions.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/danielleaminov16
Disclosure Date
Sun, Jun 19th, 2022
Exploitablity Period
until 2023/04/07
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Astrix Security
