Finding risky OAuth scopes in G Suite

By

I recently discovered an open source Google Apps script from Slack that describes some difficult questions one of their engineers was asking about their G Suite organization. In particular, the question was:

Which G Suite users in my organization have issued an OAuth token with a risky scope to a 3rd party application?

To answer this seemingly simple question, there are a series of other questions that need to be answered:

Who are the G Suite users in my organization?

Which of those users have issued an OAuth token to a 3rd party application?

Which of the OAuth tokens issued to a 3rd party application are considered "risky"?

These types of questions can be extremely difficult to answer in general, but particularly difficult to answer as organizations become very large and complex.

Okay, but why should I care?

🤷

Many people will believe that simply locking down which roles and privileges a user has is sufficient to protect their G Suite organization. This is absolutely important, but does not solve the full problem.

Slack references an article in their git/wiki that describes a Google Docs worm phishing attack that affected roughly 1 million Gmail users in 2017. The attack leverages a custom Google application with a purposely misleading "Google Docs" app name to convince users that it is legitimate. The bogus application requests OAuth scope permissions that were then used to target contacts of the compromised user, which ultimately caused rapid spread.

Additionally, G Suite organization users may have access to proprietary emails, proprietary documents, and may unknowingly grant an OAuth scope to a 3rd party application.

JupiterOne & Answering Difficult Questions

JupiterOne is a platform that was born out of the need to answer difficult questions about complex infrastructure just like this one. At its core, JupiterOne automatically ingests data from many sources into a graphclassifies the data to make it easier to analyze, and provides features on top of its core to make the complex data easier to understand and continuously monitor. The JupiterOne platform provides an out-of-the-box, open source, G Suite integration that automatically ingests users and OAuth tokens into our system. A relationship is created between the user and the token so that you can build very interesting J1QL queries to answer these and additional questions.

Here is the original question that Slack was trying to answer:

Which G Suite users in my organization has issued an OAuth token with a risky OAuth scope to a 3rd party application?

Converted to a J1QL query, this question looks like:

find google_user as user THAT ASSIGNED google_token with
scopes^=(
   "https://mail.google.com" OR
 "https://www.googleapis.com/auth/gmail." OR
 "https://www.googleapis.com/auth/drive" OR
 "https://www.googleapis.com/auth/ediscovery" OR
 "https://www.googleapis.com/auth/admin."
 )
return
user.email,
user.name,
google_token.name,
google_token.scopes

Additionally, JupiterOne provides a managed question that makes querying for this data easy from inside of the platform:

JupiterOne Natural Language Query
JupiterOne Natural Language Query

JupiterOne & Continuous Monitoring

Simply auditing the OAuth scopes granted by your G Suite users a single time is likely not enough. Your users are constantly granting new permissions to applications! JupiterOne provides a mechanism for continuously monitoring your infrastructure. Our integrations run on periodic intervals, and some integrations can also ingest data in near-realtime. JupiterOne alert rules can be created to continuously monitor and alert relevant people when a specific event has occurred. Let’s take a look at what this could look like in our G Suite example.

First we navigate to the JupiterOne alert rules management page and create a new rule with the above query:

Jupiter One Rule Creation
 Jupiter One Rule Creation

Now we can test triggering our rule by clicking the "Evaluate" button:

Jupiter One Test Triggering
Jupiter One Test Triggering

We then navigate back to the JupiterOne alerts page to view your new alert (if you have any risky OAuth scopes!):

Jupiter One Alerts
Jupiter One Alerts

What we learned

To summarize what we learned:

  • Monitoring our G Suite organization users is critical to security operations.
  • Authorized Google applications can be used as an attack vector depending on what OAuth scopes were granted by our users.
  • Answering questions about our G Suite organizations is very difficult and we need tooling to continuously monitor our environments.

JupiterOne addresses all of these concerns and so much more!

Austin Kelleher
Austin Kelleher

Austin Kelleher leads the Integrations team at JupiterOne. His background is in building highly-scalable cloud systems, and he has been recently focused on modeling data for graph-based security analysis. Austin holds a B.S. in Computer Science from Penn State University.

To hear more from our Rapid Response Team, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

Keep Reading

What’s new in JupiterOne: Reducing time to value with the new Query Builder (Part 2)
February 6, 2023
Blog
What’s new in JupiterOne: Reducing time to value with the new Query Builder (Part 2)

The new JupiterOne Query Builder streamlines your querying experience by eliminating errors, simplifying query builds, and reducing time to value.

The top 10 questions that every engineering leader should be able to answer
February 2, 2023
Blog
The top 10 questions that every engineering leader should be able to answer

We polled some of our engineering leaders to see what it takes to succeed. In part two, we see if their answers align with the CISOs we talked to.

Identify compromised versions of Github using JupiterOne
January 31, 2023
Blog
Identify compromised versions of GitHub apps using JupiterOne

As a preventative measure, Github will be deprecating the Mac and Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.