Thousands of email addresses have been compromised after hackers used them to create Google Workspace accounts and bypassed the verification process.
According to Google, a “specially constructed request” could open a Workspace account without verifying the email. This meant that bad actors only required the email address of their desired target to impersonate them.
While none of the fake accounts were used to abuse Google services, like Gmail or Docs, they were used to access third-party services through the “Sign in with Google” feature.
One impacted user that shared their experience on a Google Cloud Community forum was notified by Google that someone had created a Workspace account with their email without verification and then used it to log into Dropbox.
A Google spokesperson told TechRepublic: “In late June, we swiftly resolved an account abuse issue impacting a small subset of email accounts. We are conducting a thorough analysis, but thus far have found no evidence of additional abuse in the Google ecosystem.”
The verification flaw was limited to “Email Verified” Workspace accounts, so it did not impact other user types, like “Domain Verified” accounts.
Anu Yamunan, director of abuse and safety protections at Google Workspace, told Krebs on Security that malicious activity began in late June and “a few thousand” unverified Workspace accounts were detected. However, commenters on the story and Hacker News claim that attacks actually started in early June
In its message sent to impacted emails, Google said it fixed the vulnerability within 72 hours of it being discovered and that it has since added “additional detection” processes to ensure it cannot be repeated.
How bad actors exploited Google Workspace accounts
Individuals who sign up for a Google Workspace account have access to a limited number of its services, like Docs, acting as a free trial. This trial will end after 14 days unless they verify their email address, which provides complete Workspace access.
However, the vulnerability allowed bad actors to gain access to the full suite, including Gmail and domain-dependent services, without verification.
“The tactic here was to create a specifically-constructed request by a bad actor to circumvent email verification during the signup process,” Yamunan told Krebs on Security. “The vector here is they would use one email address to try to sign in, and a completely different email address to verify a token.
“Once they were email verified, in some cases we have seen them access third party services using Google single sign-on.”
The fix Google has deployed prevents malicious users from reusing a token generated for one email address to validate a different address.
Impacted users have criticised the trial period that Google offers, saying those who try to open a Workspace account using an email address with a custom domain should not have any access until they verify their domain ownership.
SEE: Google Chrome: Security and UI tips you need to know
This is not the first time that Google Workspace has been subject to a security incident in the past year.
In December, cyber security researchers identified the DeleFriend flaw, which could let attackers use privilege escalation to gain Super Admin access. However, an anonymous Google representative told The Hacker News that it does not represent “an underlying security issue in our products.”
In November, a report from Bitdefender disclosed several weaknesses in Workspace relating to Google Credential Provider for Windows that could lead to ransomware attacks, data exfiltration and password theft. Google again disputed these findings, telling the researchers it had no plans to address them as they are outside of their specific threat model.
