GITBOOK-552: change request with no subject merged in GitBook

pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md

@@ -179,21 +179,15 @@ As summary, if the creator and invited user are **from the same organization** t
 If they are from **different organizations**, the **token** will belong to the **creator of the trigger** always with **only the OAuth permissions given** when the trigger was created.
 
 {% hint style="success" %}
-* If you just generate an **Editor link to share with everybody** the App Script will be e**xecuted with the permissions of the creator** of it, so you won't get the token of any user that opens it.
-* If you **invite people outside of your organization** the **App Script is Executed with the triggers creators** permissions (stealing the creators token and not of the user that opened the document).
-{% endhint %}
-
-{% hint style="danger" %}
-* If you invite **people of your own company they won't be asked anything about the OAuth** permissions and the App Script will be executed with THEIR user permissions, stealing their tokens.
-  * An attacker could **add an App Script to a new or existing document** people of the same organization is going to open and **steal tokens from them** without them noticing!
+The **token** used to execute the **App Script** will be the one of the **creator of the trigger**, even if the file is opened as Editor by other users.
 {% endhint %}
 
 ### Abusing Shared With Me documents
 
 {% hint style="danger" %}
-* If someone external **shared with you a document with App Scripts and a trigger using the Head** of the App Script (not a fixed deployment), you can modify the App Script code (adding for example the steal token functions), access it, and the **App Script will be executed with the permissions of the user that shared the document with you**! (note that the owners OAuth token will have as access scopes the ones given when the trigger was created).
-  * If it's someone internal it will be executed with your permissions.... just **share it with an external person and access it from the external persons email** to execute it with the creators permissions
-  * A **notification will be sent to the creator of the script indicating that someone modified the script** (What about using gmail permissions to generate a filter to prevent the alert?)
+If someone **shared with you a document with App Scripts and a trigger using the Head** of the App Script (not a fixed deployment), you can modify the App Script code (adding for example the steal token functions), access it, and the **App Script will be executed with the permissions of the user that shared the document with you**! (note that the owners OAuth token will have as access scopes the ones given when the trigger was created).
+
+A **notification will be sent to the creator of the script indicating that someone modified the script** (What about using gmail permissions to generate a filter to prevent the alert?)
 {% endhint %}
 
 {% hint style="success" %}
@@ -238,6 +232,8 @@ curl -H "Authorization: Bearer $OAUTH_TOKEN" \
 
 ## App Script as Persistence
 
+One option for persistence would be to **create a document and add a trigger for the the getToken** function and share the document with the attacker so every-time the attacker opens the file he **exfiltrates the token of the victim.**
+
 It's also possible to create an App Script and make it trigger every X time (like every minute, hour, day...). An attacker that has **compromised credentials or a session of a victim could set an App Script time trigger and leak a very privileged OAuth token every day**:
 
 Just create an App Script, go to Triggers, click on Add Trigger, and select as event source Time-driven and select the options that better suits you: