Story image

Google fixes vulnerability in Apps Script - but SaaS is still at risk

15 Jan 2018

Google has fixed a major risk in its Apps script that allowed automatic downloads of arbitrary malware to a user’s computer, through content hosted in Google Drive.

Security firm Proofpoint recently discovered a vulnerability that allows attackers to take advantage of Google Apps Script.

This vulnerability, in combination with social engineering scams that encourage victims to run the malware, is also able to be triggered without any type of user interaction.

“Google Apps Script is a development platform based on JavaScript that allows both the creation of standalone web apps and powerful extensions to various elements of the Google Apps SaaS ecosystem,” the company says in a statement.

It says that the exploit begins through the upload of malicious files and malware executables on Google Drive. Attackers can set these to be made available through a public link.

“Actors could then share an arbitrary Google Doc to be used as a lure and vehicle for a Google Apps Script that delivers the shared malware. While Proofpoint frequently observes Google Docs phishing and malware distribution via links to Google Drive URLs, extensible SaaS platforms allow greater degrees of sophistication, malware propagation, and automation that are also much more difficult to detect,” the company says.

Because people often share legitimate links inviting them to edit Google documents, Proofpoint warns that email hygiene is critical.

As part of its fix for the vulnerability, Google has included restrictions that block phishing and malware attacks triggered by opening documents and through certains Apps Script events.

Google blocks installable triggers (customisable events that trigger automatic events) and simple triggers such as onOpen and onEdit from presenting custom interfaces in Docs editors in another user’s session, Proofpoint explains.

The company warns that users should be cautious about clicking doc links unless they know or can verify the sender.

“Moreover, this vulnerability automatically downloaded a malicious file and relied on social engineering to convince the recipient to open it; users should be wary of files automatically downloaded by web-based or SaaS platforms and be cognizant of the anatomy of a social engineering attack while organisations should focus on mitigating these threats before they reach end users if possible,” the company says.

While SaaS platforms are providing additional user functionality and new forms of attack methods for threat actors, Proofpoint says that there aren’t many tools that can detect threats that are generated or distributed through legitimate SaaS platforms, resulting in an environment in which threat actors can abuse the platforms for malicious purposes.

“With malicious Microsoft Office macros, threat actors introduced layers of obfuscation, new techniques, and innovative approaches designed to better deliver malware payloads,” the company says.

“The same level of innovation is likely as SaaS applications become increasingly mainstream and threat actors become more sophisticated in their abuse of these tools. Organisations will need to apply a combination of SaaS application security, end user education, endpoint security, and email gateway security to stay ahead of the curve of this emerging threat.”

Survey: IT pros nostalgic over on-prem data centre visibility
There are significant security and monitoring challenges faced by IT staff responsible for managing public and private cloud deployments.
61% of CIOs believe employees leak data maliciously
Egress conducted a survey to examine the root causes of employee-driven data breaches, their frequency, and impact.
Opinion: BYOD can be secure with the right measures
Companies that embrace BYOD are giving employees more freedom to work remotely, resulting in increased productivity, cost savings, and talent retention.
Sonatype and HackerOne partner on open source vulnerability reporting
Without a standard for responsible disclosure, even those who want to disclose vulnerabilities responsibly can get frustrated with the process.
OutSystems and Boncode team up for better code analysis
The Boncode and OutSystems alliance aims to help organisations to build fast and feel comfortable that the work they're delivering is at peak quality levels.
Nuance biometrics fight back against fraud
Nuance Communications has crunched the numbers and discovered that it has prevented more than US$1 billion worth of fraud from being passed on to users of its Nuance Security Suite.
SIS announces a partnership with Platform 4
“We are looking forward to a strong future in the New Zealand security industry with this global giant as our strategic partner."
Attacks targeting Cisco Webex extension explode in popularity - WatchGuard
WatchGuard's Internet Security Report for Q4 2018 also finds growing use of a new sextortion phishing malware customised to individual victims.