A significant security flaw was recently uncovered in Google Workspace’s creation process, allowing malicious actors to bypass email verification and impersonate domain holders. This vulnerability enabled attackers to access third-party services using Google’s “Sign in with Google” feature, posing potential risks for users not directly associated with Google Workspace.
Incident Overview
KrebsOnSecurity reported that a user received a notification from Google about their email being used to create a potentially malicious Google Workspace account, which Google promptly blocked. This was part of a broader abuse campaign where attackers exploited a flaw using a specially constructed request to bypass the critical email verification step required for setting up a Google Workspace account, allowing them to pose as legitimate domain holders and access third-party services. This tactic involved using one email address to sign in and another to verify the token. According to Anu Yamunan, Director of Abuse and Safety Protections at Google Workspace, the malicious activity began in late June. However, in an online discussion following the initial news by KrebsOnSecurity, several users reported the same issue, in earlier instances.
Impact and Response
The incident affected “a few thousand” accounts, part of an abuse campaign targeting non-domain-verified accounts. While the attackers did not exploit Google services directly, they aimed to impersonate domain holders on other platforms, potentially gaining unauthorized access to services like Dropbox and other third-party applications. Google responded quickly, fixing the flaw within 72 hours of its discovery and implementing additional detection measures to prevent future incidents. The company clarified that none of the affected domains had previously been associated with Google Workspace accounts or services.
Implications for Non-Workspace Users
The vulnerability highlighted the risk for organizations whose domains were not registered with Google Workspace. Attackers could create Google Workspace accounts using these domains, generating users with email addresses identical to those of the legitimate organization. This impersonation could allow attackers to connect to various third-party services via the “Sign in with Google” feature, accessing sensitive information.
Wing Security’s Preventative Measures and Recommendations
Here are some key recommendations to protect against these kinds of threats, alongside how Wing Security’s advanced SaaS Threat Intelligence can enhance your organization’s security posture:
- Verify Email Activity: Regularly monitor for notifications about unauthorized attempts to create accounts using your email addresses. These alerts can signal potential breaches of identity or domain. Wing Security’s personalized threat alerts are tailored to your specific SaaS environment, ensuring that you receive relevant and actionable information to address such threats on time.
- Review Recent Emails: Conduct thorough reviews of your email history to identify any suspicious activities related to account creation. Detecting these early can prevent unauthorized access. Wing Security offers expert-backed analysis, combining machine learning with insights from cybersecurity experts that provide a comprehensive view of your organization’s security status.
The Google Workspace incident underscores the importance of robust security measures in the SaaS landscape. Advanced SaaS Threat Intelligence capabilities, like those offered by Wing Security, are essential for organizations to detect, respond to, and mitigate threats, ensuring stronger protection against potential breaches and safeguarding sensitive information.
