Google Apps Script is vulnerable to exploits that could allow malware to be delivered via URLs. Attackers could automatically download arbitrary malware hosted in Google Drive to a machine — and the victim would have no idea it was happening.
Researchers at Proofpoint discovered the vulnerability earlier this year while exploring the potential for abuse of Google services. Ryan Kalember, senior vice president of cybersecurity strategy at Proofpoint, points to Carbanak’s use of Google for C&C as a public example of this.
Read more about how the Google Apps Script vulnerability discovered by Proofpoint lets attackers deliver malware using URLs on DarkReading.