Story image

Google fixes vulnerability in Apps Script - but SaaS is still at risk

15 Jan 2018

Google has fixed a major risk in its Apps script that allowed automatic downloads of arbitrary malware to a user’s computer, through content hosted in Google Drive.

Security firm Proofpoint recently discovered a vulnerability that allows attackers to take advantage of Google Apps Script.

This vulnerability, in combination with social engineering scams that encourage victims to run the malware, is also able to be triggered without any type of user interaction.

“Google Apps Script is a development platform based on JavaScript that allows both the creation of standalone web apps and powerful extensions to various elements of the Google Apps SaaS ecosystem,” the company says in a statement.

It says that the exploit begins through the upload of malicious files and malware executables on Google Drive. Attackers can set these to be made available through a public link.

“Actors could then share an arbitrary Google Doc to be used as a lure and vehicle for a Google Apps Script that delivers the shared malware. While Proofpoint frequently observes Google Docs phishing and malware distribution via links to Google Drive URLs, extensible SaaS platforms allow greater degrees of sophistication, malware propagation, and automation that are also much more difficult to detect,” the company says.

Because people often share legitimate links inviting them to edit Google documents, Proofpoint warns that email hygiene is critical.

As part of its fix for the vulnerability, Google has included restrictions that block phishing and malware attacks triggered by opening documents and through certains Apps Script events.

Google blocks installable triggers (customisable events that trigger automatic events) and simple triggers such as onOpen and onEdit from presenting custom interfaces in Docs editors in another user’s session, Proofpoint explains.

The company warns that users should be cautious about clicking doc links unless they know or can verify the sender.

“Moreover, this vulnerability automatically downloaded a malicious file and relied on social engineering to convince the recipient to open it; users should be wary of files automatically downloaded by web-based or SaaS platforms and be cognizant of the anatomy of a social engineering attack while organisations should focus on mitigating these threats before they reach end users if possible,” the company says.

While SaaS platforms are providing additional user functionality and new forms of attack methods for threat actors, Proofpoint says that there aren’t many tools that can detect threats that are generated or distributed through legitimate SaaS platforms, resulting in an environment in which threat actors can abuse the platforms for malicious purposes.

“With malicious Microsoft Office macros, threat actors introduced layers of obfuscation, new techniques, and innovative approaches designed to better deliver malware payloads,” the company says.

“The same level of innovation is likely as SaaS applications become increasingly mainstream and threat actors become more sophisticated in their abuse of these tools. Organisations will need to apply a combination of SaaS application security, end user education, endpoint security, and email gateway security to stay ahead of the curve of this emerging threat.”

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.