Following the unauthorized creation of Google Workspace accounts by hackers, numerous email addresses have been compromised as they managed to bypass the authentication process.
As per Google’s statement, a crafted request allowed the creation of a Workspace account without the need for email verification. This loophole facilitated bad actors in impersonating their victims with just knowledge of their email addresses.
While these fraudulent accounts were not utilized for exploiting Google services such as Gmail or Docs, they were used to gain access to external services through the “Sign in with Google” functionality.
An affected user shared their incident on a Google Cloud Community forum, where they revealed that a Workspace account was created using their email without proper verification and then used to log in to Dropbox.
According to a Google spokesperson quoted by TechRepublic: “Toward the end of June, we promptly addressed an account misuse issue affecting a small group of email accounts. A thorough investigation is ongoing, but thus far, there is no indication of further misuse within the Google environment.”
The flaw in verification was confined to Workspace accounts labeled as “Email Verified,” and thus did not impact other account types like “Domain Verified” accounts.
Google Workspace’s director of abuse and safety protections, Anu Yamunan, informed Krebs on Security that illicit activities commenced at the end of June, with the detection of “a few thousand” unverified Workspace accounts. However, commentators on the article and Hacker News suggest that the attacks began in early June.
In a message sent to affected accounts, Google stated that the loophole was patched within 72 hours of discovery and additional monitoring mechanisms have been implemented to prevent a recurrence.
Exploitation of Google Workspace Accounts by Malevolent Entities
Individuals creating a Google Workspace account are granted access to some services like Docs for a limited period, essentially as a trial. This trial duration expires in 14 days unless the email address is verified, granting full Workspace access.
The vulnerability enabled malicious actors to obtain access to the entire suite, including services such as Gmail and those reliant on domain credentials, without the need for verification.
“The scheme involved crafting a particular request by malicious actors to circumvent email verification during the registration process,” Yamunan elucidated to Krebs on Security. “The approach involved utilizing one email for the sign-in attempt and a different one to validate a token.
“After successful email verification, we observed instances where they accessed third-party services utilizing Google’s single sign-on.”
The fix rolled out by Google prevents unauthorized users from reusing a token intended for one email address to validate a different one.
Affected users have voiced discontent over Google’s offer of a trial period, contending that those attempting to create a Workspace account with a custom domain email should not have any access until domain ownership verification.
SEE: Google Chrome: Key Security and UI Guidelines
This isn’t the first instance where Google Workspace has encountered a security breach in the past year.
In December, cybersecurity researchers uncovered the DeleFriend flaw, allowing attackers to escalate privileges for Super Admin access. Nonetheless, an anonymous Google representative informed The Hacker News that it doesn’t signify “an underlying security concern in our products.”
In November, a report from Bitdefender unveiled multiple vulnerabilities in Workspace concerning the Google Credential Provider for Windows, paving the way for ransomware attacks, data breaches, and password compromises. Google refuted these findings, indicating that they have no intentions to address them as they fall beyond their specific threat focus.
About Author
