sb-eu logo
Story image

Google fixes vulnerability in Apps Script - but SaaS is still at risk

15 Jan 2018

Google has fixed a major risk in its Apps script that allowed automatic downloads of arbitrary malware to a user’s computer, through content hosted in Google Drive.

Security firm Proofpoint recently discovered a vulnerability that allows attackers to take advantage of Google Apps Script.

This vulnerability, in combination with social engineering scams that encourage victims to run the malware, is also able to be triggered without any type of user interaction.

“Google Apps Script is a development platform based on JavaScript that allows both the creation of standalone web apps and powerful extensions to various elements of the Google Apps SaaS ecosystem,” the company says in a statement.

It says that the exploit begins through the upload of malicious files and malware executables on Google Drive. Attackers can set these to be made available through a public link.

“Actors could then share an arbitrary Google Doc to be used as a lure and vehicle for a Google Apps Script that delivers the shared malware. While Proofpoint frequently observes Google Docs phishing and malware distribution via links to Google Drive URLs, extensible SaaS platforms allow greater degrees of sophistication, malware propagation, and automation that are also much more difficult to detect,” the company says.

Because people often share legitimate links inviting them to edit Google documents, Proofpoint warns that email hygiene is critical.

As part of its fix for the vulnerability, Google has included restrictions that block phishing and malware attacks triggered by opening documents and through certains Apps Script events.

Google blocks installable triggers (customisable events that trigger automatic events) and simple triggers such as onOpen and onEdit from presenting custom interfaces in Docs editors in another user’s session, Proofpoint explains.

The company warns that users should be cautious about clicking doc links unless they know or can verify the sender.

“Moreover, this vulnerability automatically downloaded a malicious file and relied on social engineering to convince the recipient to open it; users should be wary of files automatically downloaded by web-based or SaaS platforms and be cognizant of the anatomy of a social engineering attack while organisations should focus on mitigating these threats before they reach end users if possible,” the company says.

While SaaS platforms are providing additional user functionality and new forms of attack methods for threat actors, Proofpoint says that there aren’t many tools that can detect threats that are generated or distributed through legitimate SaaS platforms, resulting in an environment in which threat actors can abuse the platforms for malicious purposes.

“With malicious Microsoft Office macros, threat actors introduced layers of obfuscation, new techniques, and innovative approaches designed to better deliver malware payloads,” the company says.

“The same level of innovation is likely as SaaS applications become increasingly mainstream and threat actors become more sophisticated in their abuse of these tools. Organisations will need to apply a combination of SaaS application security, end user education, endpoint security, and email gateway security to stay ahead of the curve of this emerging threat.”

Story image
Gartner predicts 75% of CEOs to be liable for cyber-physical security incidents by 2024
The nature of CPSs means incidents can quickly lead to physical harm to people, destruction of property or environmental disasters – and Gartner’s new research indicates that these incidents will increase drastically in the next few years if the lack of spending on these assets continues.More
Story image
Ripple20 threat has potential for 'vast exploitation', ExtraHop researchers find
One in three IT environments are vulnerable to a cyber threat known as Ripple20. This is according to a new report from ExtraHop, a cloud-native network detection and response solutions provider. More
Story image
Report: 151% increase in DDoS attacks compared to 2019
It comes as the security risk profile for organisations around the world increased in large part thanks to the COVID-19 pandemic, forcing greater reliance on cloud technology and thrusting digital laggards into quick and unsecured migrations.More
Story image
Misinformation on the rise, organisations consider how best to respond
The increase in misinformation and fake domains have left organisations perceiving the threat level to be ‘very significant’, with a third planning greater emphasis on their ability to respond in coming months.More
Story image
Kaspersky releases new report on consumer’s approach to digital services
COVID-19 related restrictions and the necessity to stay indoors has influenced the way people approach digital services, making them more aware of how securely both they, and their housemates, use the internet.More
Story image
Interview: Check Point profiles 5 battles that SOC teams face in 2020
Security operations centres (SOCs) are often the first lines of defence.More