Google says it recently fixed an authentication vulnerability that allowed hackers to bypass the email verification required to build Google Workspace account, and use that to impersonate the domain owner in third-party services that allow logging in with Google’s “Sign in with Google” feature.
Last week, KrebsOnSecurity heard from a student who said they received a notification that their email address was used to create a potentially dangerous Workspace account that Google blocked.
“Over the past few weeks, we have identified a micro-aggression campaign in which bad actors bypassed the email verification step in our account creation process for Google Workspace accounts for Email Verified (EV) using a specially crafted application,” reads a notice from -Google. “These EV users may be used to access third-party applications using ‘Sign in with Google’.”
In response to questions, Google said it fixed the problem within 72 hours of its discovery, and that the company added additional detections to protect against these types of authentication bypasses.
Anu Yamunandirector of abuse and security protection at Google Workspace, told KrebsOnSecurity that the malicious activity began in late June, and involved “several thousand” Workspace accounts created without domain verification.
Google Workspace offers a free trial that people can use to access services like Google Docs, but some services like Gmail are only available to Workspace users who can verify control of the domain name associated with their email address. A vulnerability fixed by Google allowed attackers to bypass this verification process. Google stressed that none of the affected domains were associated with Workspace accounts or services.
“The strategy here was to create an application created by a bad actor to avoid email verification during registration,” Yamunan said. “The vector here is that they will use one email address to try to log in, and a completely different email address to verify the token. Once they’ve been verified by email, in some cases we’ve seen them access third-party services using Google’s single sign-on.”
Yamunan said no potentially dangerous workplace accounts were used to abuse Google services, but the attackers wanted to impersonate the domain owner of other online services.
In the case of the student who shared the breach notification from Google, the scammers used an authentication bypass to associate their domain with a Workspace account. And that domain was tied to his login to several third-party services on the Internet. Indeed, the alert this student received from Google said that an unauthorized Workspace account appears to have been used to log into his account on Dropbox.
Google said the change in authentication is now unrelated to the recent issue involving cryptocurrency-based domain names that were apparently compromised in their switch to Squarespace, which last year acquired more than 10 million domains registered through Google Domains.
On July 12, several domains linked to cryptocurrency businesses were hijacked from Squarespace users who had not yet set up their Squarespace accounts. Squarespace has since published a statement blaming domain hackers for an “OAuth login-related vulnerability”, which Squarespace says it fixed within hours.
Source link