Google’s Apps Script is a JavaScript-based, programming language which is often regarded as one of the more efficient options for lightweight application development. It has been widely used to develop simple tools for work management and has served as the backbone for add-ons and extensions for Google Docs, Sheets and Slides.
But like every other programming language on the planet, Google’s offering too has its flaws and limitations. However, a recently discovered vulnerability in the Apps Script programming language could have allowed hackers to target cloud users by delivering malware via Google Drive, the search giant’s very own online file storage solution.
The serious vulnerability was spotted by cybersecurity firm, Proofpoint, whose experts have pointed that the vulnerability could have been exploited to deliver any form of malware to unsuspecting user’s devices. However, the good news is that so far, no such reports of evil acts committed by leveraging the flaw have been reported.
Regarding the malware’s method of action and its potential to inflict damage, Proofpoint security researcher, Maor Bin said:
Proofpoint research has found that Google Apps Script and the normal document sharing capabilities built into Google Apps supported automatic malware downloads and sophisticated social engineering schemes designed to convince recipients to execute the malware once it has been downloaded. We also confirmed that it was possible to trigger exploits with this type of attack without user interaction.
Moreover, the aforesaid bug could have been exploited by hackers to dish out malware at an even more threatening scale than they have done previously with Microsoft Office macros through the SaaS (Software As A Service) route.
But what’s more worrisome is the fact that unlike past instances of hackers exploiting Google apps, which was dependent on users opening a fake Google Docs link, the recently discovered flaw could send a legitimate link to unsuspecting users to do the dirty deed.
Proofpoint alerted Google of its findings before making the report public, and the company has since implemented necessary measures to fix the flaw and prevent it from being abused.