Security

Google Apps Script vulnerability could lead SaaS apps to download malware

Hackers are leveraging Software as a Service platforms including Google Drive to download malware to victims, according to Proofpoint.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • Proofpoint researchers discovered a security vulnerability in Google Apps Script that gave hackers the ability to download malware via Google Drive.
  • As Software as a Service (SaaS) continues to dominate enterprise cloud offerings, organizations will need to ensure that proper security protections and end user education are in place.

A security vulnerability in Google Apps Script allowed hackers to download malware via Google Drive URLs to a victim's computer, according to a new Proofpoint investigation, highlighting the cybersecurity challenges inherent to enterprise Software as a Service (SaaS) offerings.

SaaS applications represent the leading form of cloud computing in the enterprise, encompassing nearly two-thirds of all public cloud spending in 2017, according to the IDC. This means they are also fertile ground for hackers looking for new ways to distribute malware and steal credentials, Maor Bin, security research lead of threat systems products at Proofpoint, wrote in a post about the investigation.

Google Apps Script—a development platform based on JavaScript—is used for building standalone web apps as well as extensions for the Google Apps SaaS ecosystem. Proofpoint researchers found that Google Apps Script, along with the normal document sharing features built into Google Apps, supported automatic malware downloads and social engineering plans created to get victims to run the malware once it was downloaded.

SEE: Intrusion detection policy (Tech Pro Research)

Once informed about the vulnerability, Google blocked installable triggers and simple triggers from App Script. However, attackers can still use extensible SaaS platforms to deliver malware, and many organizations lack defenses against these sophisticated threats, Bin wrote.

"SaaS platforms remain a 'Wild West' for threat actors and defenders alike," Bin wrote. "New tools like Google Apps Script are rapidly adding functionality while threat actors look for novel ways of abusing these platforms. At the same time, few tools exist that can detect threats generated by or distributed via legitimate software-as-a-service (SaaS) platforms. This creates considerable opportunities for threat actors who can leverage newfound vulnerabilities or use 'good for bad': making use of legitimate features for malicious purposes."

Proofpoint researchers uploaded malicious files on Google Drive, and created a public link which could be shared via a Google Doc and used to lure victims to the Google Apps Script that delivers the malware.

"While we frequently observe Google Docs phishing and malware distribution via links to Google Drive URLs, extensible SaaS platforms allow greater degrees of sophistication, malware propagation, and automation that are also much more difficult to detect," Bin wrote.

Professionals must exercise caution when opening a link to a Google Doc from an unknown sender, or that looks suspicious, Bin noted. They should also be wary of files automatically downloaded by SaaS applications.

As attacks on SaaS applications become more frequent, organizations will need to leverage application security, end user education, and endpoint security to protect their assets, Bin wrote.

Also see

google-drive-photos-promo.jpg
Image: Matt Elliott/CNET

About Alison DeNisco Rayome

Alison DeNisco Rayome is a Staff Writer for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.

Editor's Picks

Free Newsletters, In your Inbox