Thousands of email addresses were compromised after hackers used them to create Google Workspace accounts and bypass the verification process.
According to Google, a “specially crafted request” could open a Workspace account without verifying the email. This means that malicious actors only needed the email address of their intended target to impersonate them.
While none of the fake accounts were used to abuse Google services such as Gmail or Docs, they were used to access third-party services through the “Sign in with Google” feature.
An affected user who shared their experience on a Google Cloud Community forum received a notification from Google that someone had created a Workspace account with their email without verification and then used it to log in to Dropbox.
A Google spokesperson told TechRepublic: “In late June, we quickly resolved an account abuse issue affecting a small subset of email accounts. We are conducting a thorough analysis, but so far we have found no evidence of additional abuse in the Google ecosystem.”
The verification failure was limited to “Email Verified” Workspace accounts, so it did not affect other types of users, such as “Domain Verified” accounts.
Anu Yamunan, director of abuse protection and security at Google Workspace, told Krebs on Security that the malicious activity began in late June, with “a few thousand” unverified Workspace accounts detected. However, commenters on the story and Hacker News claim the attacks actually began in early June.
In its message sent to affected email addresses, Google said it fixed the vulnerability within 72 hours of its discovery and has since added “additional detection” processes to ensure it cannot be repeated.
How malicious actors exploited Google Workspace accounts
People who sign up for a Google Workspace account have access to a limited number of its services, such as Docs, which operate as a free trial. This trial will end after 14 days unless they verify their email address, which grants them full access to Workspace.
However, the vulnerability allowed malicious actors to gain access to the full suite, including Gmail and domain-dependent services, without verification.
“The tactic here was to create a specifically crafted request by a malicious actor to bypass email verification during the sign-up process,” Yamunan told Krebs on Security. “The vector here is that they would use one email address to attempt to log in and a completely different email address to verify a token.
“Once their email has been verified, in some cases we have seen them access third-party services using Google single sign-on.”
The solution Google has implemented prevents malicious users from reusing a token generated for one email address to validate a different address.
Affected users have criticized the trial period offered by Google, saying that those who try to open a Workspace account using an email address with a custom domain should not be granted access until they verify ownership of their domain.
SEE: Google Chrome: Security and user interface tips you should know
This is not the first time Google Workspace has been the subject of a security incident in the past year.
In December, cybersecurity researchers identified the DeleFriend flaw, which could allow attackers to use privilege escalation to gain super-administrator access. However, an anonymous Google representative told The Hacker News that it does not represent “an underlying security issue in our products.”
In November, a Bitdefender report revealed several weaknesses in Workspace related to the Google Credential Provider for Windows that could lead to ransomware attacks, data exfiltration, and password theft. Google again disputed these findings, telling researchers it had no plans to address them because they are outside its specific threat model.
