Hackers bypass Google Workspace authentication to expose thousands of accounts

Crooks found a way to verify other people’s email addresses when registering a Workspace account

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Google’s cloud-basedproductivity platformhad an authentication weakness that allowed hackers to impersonate other companies and log into third-party services, experts have warned.

As reported byKrebsOnSecurity, the vulnerability was discovered in the email verification process when creating aGoogle Workspaceaccount.

Crooks were able to circumvent the verification, and log into third-party services that offered the “Sign in with Google” option for authentication.

Caught in the wild

“The tactic here was to create a specifically-constructed request by a bad actor to circumvent email verification during the signup process,” Anu Yamunan, director of abuse and safety protections at Google Workspace, told Krebs.

“The vector here is they would use one email address to try to sign in, and a completely different email address to verify a token. Once they were email verified, in some cases we have seen them access third party services using Google single sign-on.”

Google’s engineers also confirmed that the vulnerability was being abused in the wild, at least in the last couple of weeks:

“In the last few weeks, we identified a small-scale abuse campaign whereby bad actors circumvented the email verification step in our account creation flow for Email Verified (EV) Google Workspace accounts using a specially constructed request,” Google said. “These EV users could then be used to gain access to third-party applications using ‘Sign In with Google’.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Google said it fixed the problem within 72 hours from discovering it, and added an extra layer of protection, for good measure. It also said that the abuse involved “a few thousand” accounts, and that it started in late June.

However, the comments left by readers on bothTheHackerNews, and KrebsOnSecurity, suggest that the issue was present for a lot longer,Neowinreports. In fact, some people said they fell victim to the attack in early June 2024, which would mean hackers were abusing the flaw for at least two months before it was finally addressed.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Huge Black Friday Samsung sale: save up to $1,900 on QLED, OLED TVs, and more