A vulnerability has emerged that allows hackers to automatically download malware to a victim’s computer directly from a Google Drive URL.
Proofpoint uncovered the vulnerability and created a proof-of-concept exploit for the issue, which exists in the Google Apps Script. The development platform is based on JavaScript and allows the creation of both standalone web apps and extensions to various elements of the Google Apps SaaS ecosystem. Unfortunately, the normal document-sharing capabilities built into Google Apps can be manipulated to support automatic malware downloads, the firm said.
It works like this: After uploading malicious files or malware executables on Google Drive, bad actors could create a public link and share an arbitrary Google Doc as a lure in sophisticated social engineering schemes designed to convince recipients to execute the malware once it has been downloaded. Proofpoint researchers also confirmed that it was possible to trigger exploits without user interaction.
These attacks come from legitimate sources and the links themselves contain no malware, making them very difficult to detect and mitigate. Thus malicious use of built-in scripting capabilities in SaaS platforms flies under the radar of most users and defensive tools.
After being notified of the issue, Google added specific restrictions on simple triggers to block phishing and malware distribution attempts that are executed opening a doc. However, researchers pointed out that the situation shows that extensible SaaS platforms can be used to deliver malware to unsuspecting victims in even more powerful ways than Microsoft Office macros. As a result, users should always be wary of files automatically downloaded by cloud platforms and be cognizant of the anatomy of a social engineering attack.
“Software-as-a-service (SaaS) applications have become mainstays of modern business and consumer computing,” the firm said in a blog. “However, they are also quickly becoming the latest frontier of innovation for threat actors looking for new opportunities to distribute malware, steal credentials and more.”
It added, “Moreover, the limited number of defensive tools available to organizations and individuals against this type of threat make it likely that threat actors will attempt to abuse and exploit these platforms more often as we become more adept at protecting against macro-based threats.”