Finding risky OAuth scopes in G Suite
I recently discovered an open source Google Apps script from Slack that describes some difficult questions one of their engineers was asking about their G Suite organization. In particular, the question was:
Which G Suite users in my organization have issued an OAuth token with a risky scope to a 3rd party application?
To answer this seemingly simple question, there are a series of other questions that need to be answered:
Who are the G Suite users in my organization?
Which of those users have issued an OAuth token to a 3rd party application?
Which of the OAuth tokens issued to a 3rd party application are considered “risky”?
These types of questions can be extremely difficult to answer in general, but particularly difficult to answer as organizations become very large and complex.
Okay, but why should I care?
Many people will believe that simply locking down which roles and privileges a user has is sufficient to protect their G Suite organization. This is absolutely important, but does not solve the full problem.
Slack references an article in their git/wiki that describes a Google Docs worm phishing attack that affected roughly 1 million Gmail users in 2017. The attack leverages a custom Google application with a purposely misleading “Google Docs” app name to convince users that it is legitimate. The bogus application requests OAuth scope permissions that were then used to target contacts of the compromised user, which ultimately caused rapid spread.
Additionally, G Suite organization users may have access to proprietary emails, proprietary documents, and may unknowingly grant an OAuth scope to a 3rd party application.
JupiterOne & Answering Difficult Questions
JupiterOne is a platform that was born out of the need to answer difficult questions about complex infrastructure just like this one. At its core, JupiterOne automatically ingests data from many sources into a graph, classifies the data to make it easier to analyze, and provides features on top of its core to make the complex data easier to understand and continuously monitor. The JupiterOne platform provides an out-of-the-box, open source, G Suite integration that automatically ingests users and OAuth tokens into our system. A relationship is created between the user and the token so that you can build very interesting J1QL queries to answer these and additional questions.
Here is the original question that Slack was trying to answer:
Which G Suite users in my organization has issued an OAuth token with a risky OAuth scope to a 3rd party application?
Converted to a J1QL query, this question looks like:
find google_user as user THAT ASSIGNED google_token with scopes^=( "https://mail.google.com" OR "https://www.googleapis.com/auth/gmail." OR "https://www.googleapis.com/auth/drive" OR "https://www.googleapis.com/auth/ediscovery" OR "https://www.googleapis.com/auth/admin." ) return user.email, user.name, google_token.name, google_token.scopes
Additionally, JupiterOne provides a managed question that makes querying for this data easy from inside of the platform:
JupiterOne & Continuous Monitoring
Simply auditing the OAuth scopes granted by your G Suite users a single time is likely not enough. Your users are constantly granting new permissions to applications! JupiterOne provides a mechanism for continuously monitoring your infrastructure. Our integrations run on periodic intervals, and some integrations can also ingest data in near-realtime. JupiterOne alert rules can be created to continuously monitor and alert relevant people when a specific event has occurred. Let’s take a look at what this could look like in our G Suite example.
First we navigate to the JupiterOne alert rules management page and create a new rule with the above query:
Now we can test triggering our rule by clicking the “Evaluate” button:
We then navigate back to the JupiterOne alerts page to view your new alert (if you have any risky OAuth scopes!):
What we learned
To summarize what we learned:
- Monitoring our G Suite organization users is critical to security operations.
- Authorized Google applications can be used as an attack vector depending on what OAuth scopes were granted by our users.
- Answering questions about our G Suite organizations is very difficult and we need tooling to continuously monitor our environments.
JupiterOne addresses all of these concerns and so much more!
Get updates from JupiterOne Mission Control
Fresh content and cool cybersecurity news alerts delivered to your inboxat least 2x a month! Just let us know where to send it.