Google Apps Script vulnerability could have opened the door for malware

No user interaction required - and the exploit could've been used to distribute any form of malware.
Written by Danny Palmer, Senior Writer

Video: 10 key strategies for disaster preparedness and increased IT security

A vulnerability in Google Apps Script could have allowed attackers to use Google Drive as a means of discreetly delivering malware to unsuspecting victims.

Google Apps Script is a JavaScript-based language used for the creation of add-ons and extensions for applications in the Google ecosystem, including Docs, Sheets, Slides, and Forms. The code editor is available in the Chrome browser and the official Apps Script website details how the scripts run on Google servers.

Uncovered by Proofpoint, threat actors exploiting this vulnerability could use it to drop any form of malware on a machine -- although such attacks have yet to be observed in the wild.

Researchers found that that Google Apps Script and the document-sharing capabilities within Google supported automatic malware downloads and the ability to socially engineer the victims into executing the malicious file once delivered. They also discovered that it was possible to trigger this type of attack without any input from the end user.

Ultimately, the vulnerability allows attacks to use legitimate Google Drive invitation lures combined with the ability to distribute malware stored on Google Drive.

The attack "demonstrates the ability of threat actors to use extensible SaaS platforms to deliver malware to unsuspecting victims in even more powerful ways than they have with Microsoft Office macros over the last several years," said Maor Bin, threat systems products research lead at Proofpoint.

See also: What is phishing? Everything you need to know to protect yourself from scam emails and more

As part of ongoing research into the capability of third-party applications, it was discovered that a Google Doc could be used to host a Google Apps Script for delivering malware.

Attackers regularly use software like Google Docs and Google Drive to host malware, but social engineering is required to trick users into downloading the payload. In this instance, the user receives a legitimate link to edit a Google Doc, but self-propagation enables the malware to run with the victim being none the wiser that anything has happened. It's just the latest example of attackers exploiting legitimate software for malicious means.

"New capabilities like Google Apps Script are creating considerable opportunities for threat actors who can leverage newfound vulnerabilities or use "good for bad" - making use of legitimate features for malicious purposes," said Bin.

Users should therefore be wary of clicking unexpected links, especially from unknown senders.

Google has implemented fixes to prevent App Scripts from being abused, blocking installable triggers -- customizable events that cause certain events to occur automatically and simple triggers from opening things in a different user session.

"We appreciate Proofpoint's contributions and have rolled out changes to address this potential vulnerability. We continuously work to stay ahead of potential threats," a Google spokesperson told ZDNet.

Download now: Incident response policy (Tech Pro Research)

However, Proofpoint warns that this won't stop attackers, who will continue in their efforts to exploit SaaS applications, especially as they become more mainstream.

"Organizations will need to apply a combination of SaaS application security, end user education, endpoint security, and email gateway security to stay ahead of the curve of this emerging threat," said Bin.

Hackers have been known to use Google App Scripts to send and receive commands in order to deliver Carbinak malware.

Related coverage

Google bolsters security to prevent another Google Docs phishing attack

It's about to get really difficult to accidentally fall for a phishing attack.

Android malware in Google Play racked up 4.2M downloads: Are you a victim?

Malware authors cash in on Android users through SMS fraud and unwanted online subscriptions.


Editorial standards