Google Apps Script vulnerability could have opened the door for malware
No user interaction required – and the exploit could’ve been used to distribute any form of malware.
A vulnerability in Google Apps Script could have allowed attackers to use Google Drive to discreetly deliver malware to unsuspecting victims.
Uncovered by Proofpoint, threat actors exploiting this vulnerability could use it to drop any form of malware on a machine – although such attacks have yet to be observed in the wild.
Researchers found that that Google Apps Script and the document sharing capabilities within Google supported automatic malware downloads and the ability to socially engineer the victims into executing the malicious file once delivered. It was also discovered that it was possible to trigger this type of attack without any input from the end user.
Ultimately, the vulnerability allows attacks to exploit legitimate Google Drive invitation lures and combine it with the ability to distribute malware stored on Google Drive.
The attack “demonstrates the ability of threat actors to use extensible SaaS platforms to deliver malware to unsuspecting victims in even more powerful ways than they have with Microsoft Office macros over the last several years,” said Maor Bin, Research Lead, Threat Systems Products at Proofpoint
Uncovered as part of ongoing research into the capability of third-party applications, it was discovered that a Google Doc could be used to host a Google Apps Script for delivering malware.
Attackers regularly use software like Google Docs and Google Drive to host malware, but social engineering is requited to trick users into downloading the payload. In this instance, the user receives a legitimate link to edit a Google Doc, but self-propagation enables the malware to run with the victim being none the wiser that anything has happened. It’s just the latest example of attackers exploiting legitimate software for malicious means.
“New capabilities like Google Apps Script are creating considerable opportunities for threat actors who can leverage newfound vulnerabilities or use “good for bad” – making use of legitimate features for malicious purposes,” said Bin.
Users should therefore be wary of clicking unexpected links, especially from unknown senders.
Google has implemented fixes to prevent App Scripts from being abused, blocking installable triggers — customizable events that cause certain events to occur automatically and simple triggers from opening things in a different user session.
However, Proofpoint warns that this won’t stop attackers, who will continue in their efforts to exploit SaaS applications, especially as they become more mainstream.