September 30, 2023

Researchers have detailed on a zero-day vulnerability called GhostToken that could let threat actors gain unremovable access to a victim’s Google account by converting an authorized third-party app into a malicious trojan, leaving a victim’s personal data exposed indefinitely.

By using Ghost Token, attackers can hide their malicious app from the victim’s Google account application management page. Because it is the only place Google users can see their apps and revoke access, the exploit makes the malicious app unremovable from the Google account.

Additionally, the attacker can use a refresh token they receive when they take over and access the victim’s account then hide the app again to restore its unremovable state. Since these applications are hidden from the victim’s view, the victim remains in the dark. They are prevented from even knowing their account has been hacked and even if they do suspect it the only step, they can take is to set up a new Google account.


Researchers initially revealed GhostToken zero-day on June 19, 2022, and Google released a patch earlier this month on April 7. The patch included adding tokens of OAuth applications in a “pending deletion” state to the user’s app management screen.

This is an issue with how Google’s ecosystem manages third-party authorizations and has already been corrected. The permanent and unremovable claims were a bit hyperbolic as a fix was obvious and easily implemented.

Depending on the permissions victims assign the malicious app, attackers can potentially read the victim’s private correspondences in Gmail, gain access to personal Google Drive and Google Photos files, view planned events on Google calendar, track the victim’s location via Google Maps, and grant access to the victim’s Google Cloud Platform services.

This research was documented by the researchers from Astrix.

Leave a Reply

%d bloggers like this: