Finding risky OAuth scopes in G Suite

by

I recently discovered an open source Google Apps script from Slack that describes some difficult questions one of their engineers was asking about their G Suite organization. In particular, the question was:

Which G Suite users in my organization have issued an OAuth token with a risky scope to a 3rd party application?

To answer this seemingly simple question, there are a series of other questions that need to be answered:

Who are the G Suite users in my organization?

Which of those users have issued an OAuth token to a 3rd party application?

Which of the OAuth tokens issued to a 3rd party application are considered "risky"?

These types of questions can be extremely difficult to answer in general, but particularly difficult to answer as organizations become very large and complex.

Okay, but why should I care?

🤷

Many people will believe that simply locking down which roles and privileges a user has is sufficient to protect their G Suite organization. This is absolutely important, but does not solve the full problem.

Slack references an article in their git/wiki that describes a Google Docs worm phishing attack that affected roughly 1 million Gmail users in 2017. The attack leverages a custom Google application with a purposely misleading "Google Docs" app name to convince users that it is legitimate. The bogus application requests OAuth scope permissions that were then used to target contacts of the compromised user, which ultimately caused rapid spread.

Additionally, G Suite organization users may have access to proprietary emails, proprietary documents, and may unknowingly grant an OAuth scope to a 3rd party application.

JupiterOne & Answering Difficult Questions

JupiterOne is a platform that was born out of the need to answer difficult questions about complex infrastructure just like this one. At its core, JupiterOne automatically ingests data from many sources into a graphclassifies the data to make it easier to analyze, and provides features on top of its core to make the complex data easier to understand and continuously monitor. The JupiterOne platform provides an out-of-the-box, open source, G Suite integration that automatically ingests users and OAuth tokens into our system. A relationship is created between the user and the token so that you can build very interesting J1QL queries to answer these and additional questions.

Here is the original question that Slack was trying to answer:

Which G Suite users in my organization has issued an OAuth token with a risky OAuth scope to a 3rd party application?

Converted to a J1QL query, this question looks like:

find google_user as user THAT ASSIGNED google_token with
scopes^=(
   "https://mail.google.com" OR
 "https://www.googleapis.com/auth/gmail." OR
 "https://www.googleapis.com/auth/drive" OR
 "https://www.googleapis.com/auth/ediscovery" OR
 "https://www.googleapis.com/auth/admin."
 )
return
user.email,
user.name,
google_token.name,
google_token.scopes

Additionally, JupiterOne provides a managed question that makes querying for this data easy from inside of the platform:

JupiterOne Natural Language Query
JupiterOne Natural Language Query

JupiterOne & Continuous Monitoring

Simply auditing the OAuth scopes granted by your G Suite users a single time is likely not enough. Your users are constantly granting new permissions to applications! JupiterOne provides a mechanism for continuously monitoring your infrastructure. Our integrations run on periodic intervals, and some integrations can also ingest data in near-realtime. JupiterOne alert rules can be created to continuously monitor and alert relevant people when a specific event has occurred. Let’s take a look at what this could look like in our G Suite example.

First we navigate to the JupiterOne alert rules management page and create a new rule with the above query:

Jupiter One Rule Creation
 Jupiter One Rule Creation

Now we can test triggering our rule by clicking the "Evaluate" button:

Jupiter One Test Triggering
Jupiter One Test Triggering

We then navigate back to the JupiterOne alerts page to view your new alert (if you have any risky OAuth scopes!):

Jupiter One Alerts
Jupiter One Alerts

What we learned

To summarize what we learned:

  • Monitoring our G Suite organization users is critical to security operations.
  • Authorized Google applications can be used as an attack vector depending on what OAuth scopes were granted by our users.
  • Answering questions about our G Suite organizations is very difficult and we need tooling to continuously monitor our environments.

JupiterOne addresses all of these concerns and so much more!

Austin Kelleher
Austin Kelleher

Austin Kelleher leads the Integrations team at JupiterOne. His background is in building highly-scalable cloud systems, and he has been recently focused on modeling data for graph-based security analysis. Austin holds a B.S. in Computer Science from Penn State University.

Keep Reading

Proactive IAM Security: Transforming Identity Security with Actionable Insights | Okta Integration with JupiterOne
December 19, 2024
Blog
Unlocking Proactive Security: How Okta and JupiterOne Elevate IAM Insights

Unlock proactive IAM security with Okta and JupiterOne, gaining real-time insights, enforcing least privilege, and reducing risks in dynamic cloud environments.

Transitioning from Vulnerability Management to Exposure Management | JupiterOne
December 13, 2024
Blog
Transitioning from Vulnerability Management to Exposure Management with JupiterOne

Explore Gartner's latest report on Exposure Management and learn how your organization can prioritize vulnerabilities and minimize exposures.

The Ultimate CAASM Guide for 2025 | JupiterOne
November 20, 2024
Blog
The Ultimate CAASM Guide for 2025

Discover how Cyber Asset Attack Surface Management (CAASM) is providing enhanced visibility of internal and external assets in 2025.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.