Google Patches Workspace Authentication Flaw, Thwarting Account Takeover Attempts
Google has recently addressed a critical security flaw in its Google Workspace platform that allowed threat actors to bypass email verification during account creation, as reported by KrebsOnSecurity. This flaw potentially enabled attackers to impersonate domain owners and gain unauthorized access to third-party services integrated with Google’s “Sign in with Google” feature.
The issue was first detected in late June when a small-scale abuse campaign was identified. Attackers exploited the weakness by using a specially crafted request to circumvent the email verification step, creating Workspace accounts without proving domain ownership. Although the malicious accounts were not used to abuse Google services directly, they were leveraged to impersonate domain holders on other online platforms.
“In the last few weeks, we identified a small-scale abuse campaign where bad actors bypassed the email verification step in our account creation process for Email Verified (EV) Google Workspace accounts using a specially constructed request,” the notice from Google explained. “These EV users could then be used to gain access to third-party applications using ‘Sign in with Google’.”
One affected user reported receiving a notification from Google that their email address was used to create a suspicious Workspace account. Upon investigation, it was discovered that the unauthorized account was linked to the user’s Dropbox account, highlighting the potential impact of this vulnerability.
Google acted swiftly to mitigate the threat, fixing the authentication weakness within 72 hours of discovery and implementing additional security measures to prevent similar bypasses in the future. The company emphasizes that none of the compromised domains were previously associated with Workspace accounts or services, suggesting a targeted effort by the attackers.
This incident underscores the importance of robust authentication mechanisms and the potential risks associated with single sign-on (SSO) services. While SSO provides convenience, it also creates a single point of failure that, if compromised, can have far-reaching consequences.
Users are advised to remain vigilant and report any suspicious activity to Google or the affected third-party services. Additionally, enabling multi-factor authentication (MFA) whenever possible can provide an extra layer of security against unauthorized account access.
