Finding risky OAuth scopes in G Suite

Image for post

This post written by JupiterOne engineer and rockstar – Austin Kelleher Twitter free iconGithub Logo - Free social media icons.

I recently discovered an open source Google Apps script from Slack that describes some difficult questions one of their engineers was asking about their G Suite organization. In particular, the question was:

Which G Suite users in my organization have issued an OAuth token with a risky scope to a 3rd party application?

To answer this seemingly simple question, there are a series of other questions that need to be answered:

Who are the G Suite users in my organization?

Which of those users have issued an OAuth token to a 3rd party application?

Which of the OAuth tokens issued to a 3rd party application are considered “risky”?

These types of questions can be extremely difficult to answer in general, but particularly difficult to answer as organizations become very large and complex.

Okay, but why should I care? 🤷

Many people will believe that simply locking down which roles and privileges a user has is sufficient to protect their G Suite organization. This is absolutely important, but does not solve the full problem.

Slack references an article in their git/wiki that describes a Google Docs worm phishing attack that affected roughly 1 million Gmail users in 2017. The attack leverages a custom Google application with a purposely misleading “Google Docs” app name to convince users that it is legitimate. The bogus application requests OAuth scope permissions that were then used to target contacts of the compromised user, which ultimately caused rapid spread.

Additionally, G Suite organization users may have access to proprietary emails, proprietary documents, and may unknowingly grant an OAuth scope to a 3rd party application.

JupiterOne & Answering Difficult Questions

JupiterOne is a platform that was born out of the need to answer difficult questions about complex infrastructure just like this one. At its core, , and provides to make the complex data easier to understand and continuously monitor. The JupiterOne platform provides an that automatically ingests users and OAuth tokens into our system. A relationship is created between the user and the token so that you can build very interesting to answer these and additional questions.

Here is the original question that Slack was trying to answer:

Which G Suite users in my organization has issued an OAuth token with a risky OAuth scope to a 3rd party application?

Converted to a J1QL query, this question looks like:

find google_user as user THAT ASSIGNED google_token with 
  scopes^=(
    "https://mail.google.com" OR
    "https://www.googleapis.com/auth/gmail." OR
    "https://www.googleapis.com/auth/drive" OR
    "https://www.googleapis.com/auth/ediscovery" OR
    "https://www.googleapis.com/auth/admin."
  )
  return 
    user.email,
    user.name, 
    google_token.name, 
    google_token.scopes

Additionally, JupiterOne provides a that makes querying for this data easy from inside of the platform:

JupiterOne Natural Language Query
JupiterOne Natural Language Query

JupiterOne & Continuous Monitoring

Simply auditing the OAuth scopes granted by your G Suite users a single time is likely not enough. Your users are constantly granting new permissions to applications! JupiterOne provides a mechanism for continuously monitoring your infrastructure. Our integrations run on periodic intervals, and some integrations can also ingest data in near-realtime. can be created to continuously monitor and alert relevant people when a specific event has occurred. Let’s take a look at what this could look like in our G Suite example.

First we navigate to the  and create a new rule with the above query:

Jupiter One Rule Creation
Jupiter One Rule Creation

Now we can test triggering our rule by clicking the “Evaluate” button:

Jupiter One Test Triggering
Jupiter One Test Triggering

We then navigate back to the to view your new alert (if you have any risky OAuth scopes!):

Jupiter One Alerts
Jupiter One Alerts

What we learned

To summarize what we learned:

  • Monitoring our G Suite organization users is critical to security operations.
  • Authorized Google applications can be used as an attack vector depending on what OAuth scopes were granted by our users.
  • Answering questions about our G Suite organizations is very difficult and we need tooling to continuously monitor our environments.

JupiterOne addresses all of these concerns and so much more!