Ghost Google Drive Explained and How to Protect Your Files

Ghost Google Drive is a phenomenon where files disappear from Google Drive without any clear reason or warning. This can be a frustrating experience, especially if you rely on Google Drive for your work or personal files.

Files can be deleted or become inaccessible due to various reasons, including intentional deletion, accidental deletion, or system glitches. Google Drive's automatic file backup feature can sometimes cause issues.

If you're experiencing issues with your Google Drive files, it's essential to act quickly to prevent further data loss. The sooner you investigate, the higher the chances of recovering your files.

Google Drive's "Trash" feature can help you recover deleted files within a certain time frame. Make sure to check your Trash regularly and empty it only when you're sure you won't need the files again.

The issue at hand is quite complex, but it starts with the way Google processes OAuth clients when they're decommissioned. This is where the problem arises, as it creates a window of opportunity for attackers to exploit.

Here's a simplified explanation of the process: when a third-party OAuth client is deleted, it enters a pending deletion state that lasts for 30 days. During this time, the project associated with the client can be restored at any time by the owner, but from the end user's perspective, the app immediately disappears from their account management page.

The pending-deletion projects can be restored at any time, but the attack loop requires periodic execution before the project is purged. This limited time frame is a critical aspect of the attack, as it allows the victim to potentially remove the application's access, but only briefly.

The technical issue at play here is related to how Google processes OAuth clients when they're decommissioned. This can be exploited by attackers who want to gain unauthorized access to users' data.

A pending-deletion project can be restored at the owner's whim from a dedicated page, but for end users, the app immediately disappears from the "apps with access to your account" management page. This is where the problem lies.

Here's how the attack works in a nutshell:

The access token re-appears in the "Apps with access to your account" page for a limited time window, during which the victim may technically remove the application's access. However, this time frame is very limited and lasts until the attacker executes the attack loop again.

The eternal battle between usability and security is a common challenge in enterprise environments. This push-pull between the two is felt throughout an organization.

GCP's vulnerability was an unusual one because it related to a core feature that was behaving as it should, giving developers flexibility without bogging down end users.

But with a little creativity, this feature could be turned into something that completely breaks the way identity and access management is done by an external third party. This is a stark reminder of the importance of balance between value to the user and security.

The implications for cloud security are significant, especially when it comes to protecting private information. Sometimes, security measures can get in the way of productivity or personal mobility.

It's much easier to evaluate features for balance between usability and security during the design phase, before everything is implemented and hundreds or thousands of people are using it.

An additional folder is added to your Google Drive root directory, which is directly accessed by your GhostVolt workspace. This folder is your secure repository where all files and folder are automatically encrypted with 256bit-AES.

Zero-knowledge encryption is used, which ensures that only you can access your files and folders, blocking everyone else, including Google. This means you're the only one with the key to your encrypted files.