Security researchers have uncovered a vulnerability in Google LLC’s Apps Script programming language that could potentially allow hackers to deliver malware to unsuspecting victims via Google Drive.

Google Apps Script is a programming language based on JavaScript that’s used by developers to create extensions for Google applications such as Docs, Sheets, Slides and others. The vulnerability was discovered by cybersecurity firm Proofpoint Inc., which said it could be exploited by attackers to deliver any kind of malware, though it said it hasn’t seen any evidence of such attacks in the wild.

“Proofpoint research has found that Google Apps Script and the normal document sharing capabilities built into Google Apps supported automatic malware downloads and sophisticated social engineering schemes designed to convince recipients to execute the malware once it has been downloaded,” Maor Bin, security researcher at Proofpoint, said in an advisory. “We also confirmed that it was possible to trigger exploits with this type of attack without user interaction.”

Bin added that the bug “demonstrates the ability of threat actors to use extensible SaaS platforms to deliver malware to unsuspecting victims in even more powerful ways than they have with Microsoft Office macros over the last several years.”

The discovery was made as part of Proofpoint’s ongoing research into the capabilities of third-party applications, when it found that Google Docs could be used to host a Google Apps Script that’s designed to deliver malware.

This in itself is nothing new, as attackers have often used fake links to Google Docs to deliver malware. But the difficulty with that method is that the attackers also need to use social engineering to trick users into opening the document. However, in this case, users actually receive a link to a legitimate Google Doc, so victims are unlikely to realize the document hosts malware and will be none the wiser should they open it.

“New capabilities like Google Apps Script are creating considerable opportunities for threat actors who can leverage newfound vulnerabilities or use “good for bad” — making use of legitimate features for malicious purposes,” said Bin.

Proofpoint has shared its findings with Google ahead of publication, and the software giant has since implemented fixes that should prevent App Scripts from being abused.

Image: Lee Davey/Flickr