Google has said that it has fixed a security flaw that allowed hackers to bypass the company’s Email Verification to create potentially malicious Workspace Accounts and access third-party services.
“In the last few weeks, we identified a small-scale abuse campaign whereby bad actors circumvented the email verification step in our account creation flow for Email Verified (EV) Google Workspace accounts using a specially constructed request,” a notice sent by Google to some users read.
“These EV users could then be used to gain access to third-party applications using ‘Sign In with Google’,” it added.
‘Fixed problem within 72 hours’
In response to questions by known independent journalist Brian Krebs (via KrebsOnSecurity), Google said it fixed the problem within 72 hours of discovering it. Anu Yamunan, director of abuse and safety protections at Google Workspace, said that the malicious activity began in late June.
As per the company, “a few thousand” Workspace accounts were created without being domain-verified. Google has added additional detection to protect against these types of authentication bypasses.
“The tactic here was to create a specifically-constructed request by a bad actor to circumvent email verification during the signup process,” Yamunan was quoted as saying.
“The vector here is they would use one email address to try to sign in, and a completely different email address to verify a token. Once they were email verified, in some cases we have seen them access third party services using Google single sign-on,” she said.
As per Yamunan, no potentially malicious workspace accounts were used to abuse Google services.
“In the last few weeks, we identified a small-scale abuse campaign whereby bad actors circumvented the email verification step in our account creation flow for Email Verified (EV) Google Workspace accounts using a specially constructed request,” a notice sent by Google to some users read.
“These EV users could then be used to gain access to third-party applications using ‘Sign In with Google’,” it added.
‘Fixed problem within 72 hours’
In response to questions by known independent journalist Brian Krebs (via KrebsOnSecurity), Google said it fixed the problem within 72 hours of discovering it. Anu Yamunan, director of abuse and safety protections at Google Workspace, said that the malicious activity began in late June.
As per the company, “a few thousand” Workspace accounts were created without being domain-verified. Google has added additional detection to protect against these types of authentication bypasses.
“The tactic here was to create a specifically-constructed request by a bad actor to circumvent email verification during the signup process,” Yamunan was quoted as saying.
“The vector here is they would use one email address to try to sign in, and a completely different email address to verify a token. Once they were email verified, in some cases we have seen them access third party services using Google single sign-on,” she said.
As per Yamunan, no potentially malicious workspace accounts were used to abuse Google services.
