Google Workspace security vulnerability caused thousands of user accounts to be attacked
While the world is still reeling from the CrowdStrike incident, another major work support software service platform, Google Workspace, also recently faced a serious security issue related to user accounts. use.
Google Workspace is a service that allows businesses to create professional email addresses using their company domain name, such as abc@tencongty.com. Additionally, businesses can also access Google Drive, Gmail calendar, Google Meet, etc. through a Google Workspace account.
Google's security team recently discovered that hackers were able to bypass the email verification system, which is required to create a Google Workspace account. For example, if you want to create a Google Workspace account for abc@tencongty.com, you first need to verify that the email address belongs to you. However, hackers have found a trick to bypass this basic requirement. Worse, the created Google Workspace account can be used at third-party services that allow "Sign in with Google" as a sign-in mechanism.
Here's how hackers bypass email verification for Google Workspace accounts:
- Google offers a free Workspace trial account that allows users to try out services like Google Docs.
- However, to create a Workspace account with Gmail and domain-dependent services, email verification is required.
- Hackers created a request specifically crafted to avoid email verification during the registration process.
- Hackers will use one email address to attempt login and a completely different email address to verify the token.
- After verifying the email, in some cases, hackers can access third-party services using Google's single sign-on feature.
Google informed KrebsOnSecurity that the issue began in late June, affecting "several thousand" Workspace accounts, and that it successfully fixed the issue within 72 hours of discovery. The company also confirmed that it has added detection features to protect against these types of authentication bypasses.
However, according to reports from some users, it seems that the email verification bypass issue has been going on for more than a month. There was one case of users being affected by this issue on June 6, which was not the end of the month as Google claimed. Another user on the KrebsOnSecurity forum named David Keaton claimed to have encountered an issue with Google on June 7.
Google's lack of transparency about the timeline and full extent of the Workspace security vulnerability raises concerns. A clear and detailed public announcement, including proactive steps taken to prevent future violations, would be a more responsible approach. Additionally, acknowledging the issue with an official blog post would help Google demonstrate the company's commitment to transparency and user trust.
You should read it
- Google Workspace adds anti-phishing, client-side data encryption
- Google Project Zero reveals a serious privilege escalation vulnerability in Windows
- How to quickly open Google Workspace service on Microsoft Edge
- Google awarded US $ 36,000 to the Uruguayan boy who discovered the carrier's serious security error
- Google Workspace is now free for users with a Google account
- AMD CPUs also have security vulnerabilities that have existed for many years now!
- Google will automatically upgrade free G Suite users to Paid Workspace from May 1, 2022
- How to work with workspace in GNOME
- Detecting a Google Drive vulnerability could allow hackers to trick users into installing malware
- Google Chrome has a serious zero-day error, and hackers can execute malicious code at its fullest
- Google adds many AI features to Google Workspace at Cloud Next 2024
- Google discovered two serious vulnerabilities on iOS
Maybe you are interested
How to Use Google Slides to Create a Diagram
How to stop Google Docs and Sheets from eating up RAM
Why use Waze instead of Google Maps?
How to stay safe from the scary Google Maps scam that's going viral
5 Ways to Use Google Maps Without Planning a Route
How to Share Your Exact Location with Google Plus Codes