Hackers bypass Google Workspace authentication to expose thousands of accounts

News
By published

Crooks found a way to verify other people's email addresses when registering a Workspace account

21:9 Hero
(Image credit: Google)

Google’s cloud-based productivity platform had an authentication weakness that allowed hackers to impersonate other companies and log into third-party services, experts have warned.

As reported by KrebsOnSecurity, the vulnerability was discovered in the email verification process when creating a Google Workspace account. 

Crooks were able to circumvent the verification, and log into third-party services that offered the “Sign in with Google” option for authentication.

Caught in the wild

“The tactic here was to create a specifically-constructed request by a bad actor to circumvent email verification during the signup process,” Anu Yamunan, director of abuse and safety protections at Google Workspace, told Krebs. 

“The vector here is they would use one email address to try to sign in, and a completely different email address to verify a token. Once they were email verified, in some cases we have seen them access third party services using Google single sign-on.”

Google’s engineers also confirmed that the vulnerability was being abused in the wild, at least in the last couple of weeks:

“In the last few weeks, we identified a small-scale abuse campaign whereby bad actors circumvented the email verification step in our account creation flow for Email Verified (EV) Google Workspace accounts using a specially constructed request,” Google said. “These EV users could then be used to gain access to third-party applications using ‘Sign In with Google’.”

Google said it fixed the problem within 72 hours from discovering it, and added an extra layer of protection, for good measure. It also said that the abuse involved “a few thousand” accounts, and that it started in late June. 

However, the comments left by readers on both TheHackerNews, and KrebsOnSecurity, suggest that the issue was present for a lot longer, Neowin reports. In fact, some people said they fell victim to the attack in early June 2024, which would mean hackers were abusing the flaw for at least two months before it was finally addressed.

More from TechRadar Pro

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.