Published Fri, Apr 21st, 2023


Google users can find and install third-party OAuth applications from Google Marketplace that are integrated with Google Workspace. Each OAuth application client in Google is associated with a GCP project. A bug in the way a GCP project enters a "pending deletion" state when deleted, could have allowed threat actors to make a malicious application invisible and unremovable from the user's account. If an attacker had managed to install an application in an account (e.g., through a phishing attack), they could have exploited this vulnerability to hide their activity from the target user. Depending on the permissions of the malicious application, the attacker could have silently gained access to sensitive information such as private Gmail correspondences, personal files and planned events within the the victim's google account, as well as any GCP resources the user had access to.

Affected Services



It is recommended that Google users go to the "Apps with access to you account" page and verify that they are familiar with all authorized third-party apps, and that each has the minimal needed permissions.

Tracked CVEs

No tracked CVEs


Disclosure Date
Sun, Jun 19th, 2022
Exploitablity Period
until 2023/04/07
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Astrix Security