Story image

Google fixes vulnerability in Apps Script - but SaaS is still at risk

15 Jan 2018

Google has fixed a major risk in its Apps script that allowed automatic downloads of arbitrary malware to a user’s computer, through content hosted in Google Drive.

Security firm Proofpoint recently discovered a vulnerability that allows attackers to take advantage of Google Apps Script.

This vulnerability, in combination with social engineering scams that encourage victims to run the malware, is also able to be triggered without any type of user interaction.

“Google Apps Script is a development platform based on JavaScript that allows both the creation of standalone web apps and powerful extensions to various elements of the Google Apps SaaS ecosystem,” the company says in a statement.

It says that the exploit begins through the upload of malicious files and malware executables on Google Drive. Attackers can set these to be made available through a public link.

“Actors could then share an arbitrary Google Doc to be used as a lure and vehicle for a Google Apps Script that delivers the shared malware. While Proofpoint frequently observes Google Docs phishing and malware distribution via links to Google Drive URLs, extensible SaaS platforms allow greater degrees of sophistication, malware propagation, and automation that are also much more difficult to detect,” the company says.

Because people often share legitimate links inviting them to edit Google documents, Proofpoint warns that email hygiene is critical.

As part of its fix for the vulnerability, Google has included restrictions that block phishing and malware attacks triggered by opening documents and through certains Apps Script events.

Google blocks installable triggers (customisable events that trigger automatic events) and simple triggers such as onOpen and onEdit from presenting custom interfaces in Docs editors in another user’s session, Proofpoint explains.

The company warns that users should be cautious about clicking doc links unless they know or can verify the sender.

“Moreover, this vulnerability automatically downloaded a malicious file and relied on social engineering to convince the recipient to open it; users should be wary of files automatically downloaded by web-based or SaaS platforms and be cognizant of the anatomy of a social engineering attack while organisations should focus on mitigating these threats before they reach end users if possible,” the company says.

While SaaS platforms are providing additional user functionality and new forms of attack methods for threat actors, Proofpoint says that there aren’t many tools that can detect threats that are generated or distributed through legitimate SaaS platforms, resulting in an environment in which threat actors can abuse the platforms for malicious purposes.

“With malicious Microsoft Office macros, threat actors introduced layers of obfuscation, new techniques, and innovative approaches designed to better deliver malware payloads,” the company says.

“The same level of innovation is likely as SaaS applications become increasingly mainstream and threat actors become more sophisticated in their abuse of these tools. Organisations will need to apply a combination of SaaS application security, end user education, endpoint security, and email gateway security to stay ahead of the curve of this emerging threat.”

Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Norwegian aluminium manufacturer hit hard by LockerGoga ransomware attack
“IT systems in most business areas are impacted and Hydro is switching to manual operations as far as possible.”
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.
Mozilla launches Firefox Send, an encrypted file transfer service
Mozille Firefox has launched a free encrypted file transfer service that allows people to securely share files from any web browser – not just Firefox.