A Google Workspace vulnerability exposed thousands of accounts after hackers bypassed email verification. Learn how to protect your Workspace account from similar attacks.
Google faced a security issue after hackers discovered a vulnerability in its cloud-based productivity platform, Google Workspace. The authentication bypass issue, disclosed by security researcher Brian Krebs, allowed attackers to create Workspace accounts and access third-party services offering the “Sign in with Google” authentication option, potentially compromising the sensitive data of thousands of users.
The vulnerability resided in the email verification step during Google Workspace account creation, a process that ensures the user’s email ID actually belongs to them. According to Krebs’ report, attackers were able to exploit Workspace’s free trial for separate services such as Google Docs, which bypassed this verification entirely.
It is worth noting that, services that require Workspace users to control domain names linked with their business email IDs, such as Gmail, were not affected by this flaw.
“The vector here is they would use one email address to try to sign in, and a completely different email address to verify a token,” explained Anu Yamunan, Workspace’s director of abuse and safety protections.
This bypass allowed attackers to create Workspace accounts using any email address, essentially impersonating other companies or individuals. The real danger, however, lay in the ability to then access third-party services linked to those accounts utilizing Google’s “Sign in with Google” single sign-on (SSO) feature.
Google confirmed to Krebs that the vulnerability was being exploited in the wild and identified a “small-scale abuse campaign” where bad actors circumvented the email verification step in the account creation flow for Email Verified (EV) Google Workspace accounts using a specially constructed request.
While the exact number of affected accounts remains unclear, Google acknowledges it was “a few thousand” impacted in the small-scale campaign identified in late June. The company assures the issue was patched within 72 hours of discovery, and additional measures have been implemented to prevent similar exploits.
Google states that this authentication bypass flaw has no connection with another recently fixed issue involving cryptocurrency-based domain names that were compromised during their transition to Squarespace.
For your information, on July 12, Squarespace users who had not yet set up their accounts were hijacked by domains linked to cryptocurrency businesses. Squarespace blamed the attacks on a weakness related to OAuth logins, which was resolved within hours.
Hackers are now targeting even established platforms like Google more frequently. Therefore, businesses using Google Workspace must think beyond default verification steps. Implementing multi-factor authentication (MFA) is a crucial layer, making unauthorized access more difficult.
Expert Insights on Google Workspace Security Breach
In light of the recent security breach, Sakthi Mohan, a cloud security authority from the Synopsys Software Integrity Group, shares her expert analysis on the matter. “The security flaw within Google Workspace that allowed hackers to sidestep email verification processes sheds light on the persistent challenges that cloud-based authentication systems face,” states Mohan. “This event not only highlights the critical need for robust security protocols but also the importance of constant vigilance to safeguard user data.”
Mohan further comments on Google’s response, “Google’s swift action to confirm and address the exploit of this vulnerability in the wild is a testament to the necessity for ongoing enhancements in security measures. It’s imperative for organizations using single sign-on (SSO) services to rigorously test and routinely audit their authentication processes. Moreover, adopting multi-factor authentication (MFA) can serve as an additional line of defence, significantly reducing the potential impact of such threats.”
Mohan advises businesses and IT professionals to take this incident as a wake-up call to reassess and strengthen their authentication strategies. “Security teams should use this opportunity to reinforce their Google Workspace configurations with tighter control measures,” she suggests. “By promoting security awareness and training among employees, organizations can foster a more resilient security culture capable of identifying and mitigating suspicious activities.”
