Andrew Cantino, VP of Engineering at Mavenlink but also a bug hunter in his free time, has discovered that Google Apps Scripts can be misused by attackers to access users’ email and other information.
“Google Apps Script is a powerful scripting environment provided by Google that can make authenticated requests against user data inside of Google’s properties,” he explained, and pointed out that when authorizing a Google Apps Script, users are not clearly told that they’re allowing a third party access to their data, which can make social engineering attacks far too easy.
“Worse, Google Apps Scripts are on a Google domain, so even savvy users who look for suspicious domains will be fooled,” he noted.
To prove his point, he created an app he named “Google Security Upgrader” by using a simple Google Apps Script he made and which only creates a new Gmail label.
If a user were to download the app, he will see that the app asks permission to view and manage his mail, but many users are not aware what this actually means and would simply grant the app that permission.
If attackers wielded this app, they could make it do a number of malicious things, including deleting or stealing data, manipulating personal information, trying to propagate the script further by sending the link to all the people in the user’s contact list, and more.
Cantino has notified Google of his findings, but for now, the company decided not to do anything about it. “This is currently working as designed and is not a technical vulnerability,” they noted, but allowed him to make the issue public.
Cantino would like to see, at a minimum, a big notice saying “This app was created by a third party and is not affiliated with Google” when users are asked to authorize such an app.
“As it is, I feel it is unreasonable to expect that users would understand the possibility that malicious code could be executed while remaining entirely within the Google domain,” he says. “Ironically, after authorization, Google sends an email explaining that a 3rd party app has been authorized, but at this point it’s way, way too late! The app has already accessed the user’s data, and has deleted, stolen, or manipulated it.”