1-CLick OAuth Token Hijacking via Google Apps Script – A Design Flaw Ignored?

Researchers have discovered a flaw in Google’s Apps Script functionality that allows an attacker who has access to a Google Docs script project to steal the OAuth tokens of users who have granted permission to the script, thereby enabling the attacker to access sensitive user data or perform malicious actions on Google Drive, Gmail and other services.
The attack is accomplished by adding a malicious Web App to the Google Docs script, which is then deployed by an editor of the project (this person does not need to be the owner).
After the malicious Web App has been deployed, the attacker can delete the code implementing it, so that the owner of the project is not alerted to any changes having taken place.
Google has refused to fix the flaw on the grounds that its Abuse Risk Assessment process has deemed the vulnerability is not severe enough to require remediation.
The company instead suggests that owners of Google Docs scripts should audit logs and limit fetch service domains as possible mitigations, but the researchers say these are ineffective.

Fast Feed