Thousands of accounts have been exposed after hackers created Google Workspace accounts using existing emails and bypassed the verification process.
According to Google, a “specially crafted request” could open a Workspace account without confirming an email. This meant that bad guys only needed the email address of their intended target to impersonate them.
While none of these fake accounts were used to abuse Google services like Gmail or Docs, they were used to access third-party services through the “Sign in with Google” feature.
When an affected user shared his experience on the Google Cloud community forum, he was informed by Google that someone had created a Workspace account with his email without verification, and then used it to log in to Dropbox.
A Google spokesperson told TechRepublic: “In late June, we quickly resolved an account abuse issue affecting a small group of email accounts. We are conducting a thorough analysis, but to date we have found no evidence of additional abuse across the Google ecosystem.”
The validation flaw was limited to “email verified” workspace accounts only, so it did not impact other user types, such as “domain verified” accounts.
Anu Yamunan, director of abuse and security protection at Google Workspace, told Krebs on Security that the malicious activity began in late June and “a few thousand” unverified Workspace accounts were detected. However, commenters on the story and Hacker News claim that the attacks actually began in early June
In a message sent to affected emails, Google said it fixed the vulnerability within 72 hours of discovering it and has since added “additional detection” processes to ensure it can’t be replicated.
How abusers took advantage of Google Workspace accounts
Individuals who sign up for a Google Workspace account get access to a limited number of its services, such as Docs, which acts as a free trial. This trial will expire after 14 days unless they verify their email address, which grants full access to Workspace.
However, this vulnerability allowed the wrong people to gain access to the entire suite, including Gmail and domain-dependent services, without authentication.
“The strategy here was to create a specifically crafted request by a bad actor to circumvent email verification during the signup process,” Yamunan told Krebs on Security. “The vector here is that they would use one email address to try to sign in, and a completely different email address to verify the token.
“Once their email was verified, in some cases we have seen them gain access to third-party services using Google Single Sign-On.”
This improvement implemented by Google prevents malicious users from reusing the token generated for one email address to verify another address.
Affected users have criticized the trial period offered by Google, saying that those who try to open a Workspace account using an email address with a custom domain should not be given any access until they verify their domain ownership.
SEE ALSO: Google Chrome: Security and UI tips you need to know
This isn’t the first time in the past year that Google Workspace has been the victim of a security incident.
In December, cybersecurity researchers identified the DeleFriend flaw, which could allow attackers to use privilege escalation to gain super admin access. However, an anonymous Google representative told The Hacker News that it does not represent “an inherent security issue in our products.”
In November, a report from BitDefender revealed multiple vulnerabilities in Workspace for Windows related to the Google Credential Provider that could lead to ransomware attacks, data exfiltration, and password theft. Google again disputed these findings, telling researchers they have no plans to address them because they fall outside their typical threat model.
#Thousands #accounts #risk #due #Google #Workspace #vulnerability