29 July 2024

Hackers bypass Google Workspace authentication, exposing thousands of accounts


Hackers bypass Google Workspace authentication, exposing thousands of accounts

A security weakness in the Google Workspace platform allowed hackers to bypass the email verification required to create accounts. The flaw was exploited to impersonate domain holders across various third-party services utilizing the “Sign in with Google” feature.

The vulnerability, as reported by KrebsOnSecurity, was discovered in the email verification process for new Google Workspace accounts. Hackers managed to circumvent this feature, enabling unauthorized access to third-party services through Google’s single sign-on system.

According to Google Workspace’s Anu Yamunan, the attackers’ tactic was to create a specifically-constructed request by a bad actor to circumvent email verification during the sign-up process.

“The vector here is they would use one email address to try to sign in, and a completely different email address to verify a token. Once they were email verified, in some cases we have seen them access third-party services using Google single sign-on, ” Yamunan said.

Google’s engineers confirmed the exploitation of the issue in recent weeks. The company said it identified a small-scale campaign where the threat actors bypassed the email verification step in the account creation flow for Email Verified (EV) Google Workspace accounts using a specially constructed request. These EV users could then be used to gain access to third-party applications using ‘Sign In with Google.’

Google said that the campaign affected “a few thousand” accounts, starting in late June. However, user comments on TheHackerNews and KrebsOnSecurity suggest the issue might have been exploited as early as early June, indicating the vulnerability could have been present for at least two months before being addressed.

The malicious activity involved Google Workspace accounts created without domain verification. Google Workspace typically offers a free trial, providing access to services like Google Docs, while restricting Gmail to users who validate domain ownership. The flaw allowed attackers to bypass this validation process, though Google emphasized that none of the affected domains had previously been associated with Workspace accounts or services.

Yamunan noted that the attackers primarily aimed to impersonate domain holders on other online services rather than abuse Google’s services.


Back to the list

Latest Posts

Rockstar 2FA phishing-as-a-service targets Microsoft 365 users with AiTM attacks

Rockstar 2FA phishing-as-a-service targets Microsoft 365 users with AiTM attacks

Rockstar 2FA appears to be an updated version of the DadSec (also known as Phoenix) phishing kit.
2 December 2024
Phishing campaign targeting tax professionals in Ukraine with Litemanager malware

Phishing campaign targeting tax professionals in Ukraine with Litemanager malware

CERT-UA attributes the activity to the financially motivated group UAC-0050.
2 December 2024
Hackers steal $17M from Uganda's central bank

Hackers steal $17M from Uganda's central bank

The attackers breached the central bank’s IT systems earlier this month and transferred the funds to various accounts.
2 December 2024