Not too long ago, a vulnerability in Google’s “Register with Google” feature allowed attackers to bypass email verification and create accounts for themselves, effectively impersonating site owners at third-party companies that enable Google-based login options.
At the end of the week, KrebsOnSecurity received a report from a concerned individual who discovered that their email address had been utilised to set up a suspicious Workspace account on Google, which was subsequently blocked for potential malicious activity.
“In recent weeks, Google researchers uncovered a sophisticated email verification evasion tactic, which malicious actors exploited to create compromised EV Google Workspace accounts by crafting a customised request that bypassed our email verification step.” “These existing EV customers can leverage their accounts to access third-party services through ‘Sign in with Google’ functionality.”
Google promptly resolved the issue within 72 hours of identification, implementing additional safeguards to prevent similar authentication bypasses from occurring in the future.
According to Google Workspace’s director of abuse and security protections, speaking with KrebsOnSecurity, the suspicious activity began in late June, targeting “a number of thousands” of Workspace accounts that lacked domain verification.
Google Workspace offers a free trial allowing individuals to access companies like Google Docs, but other firms such as Gmail are only accessible to Workspace customers who can verify control over the domain name associated with their email address. The vulnerability in Google’s system allowed attackers to circumvent the usual security checks? Google clarified that none of the impacted domains had any prior connection to Workspace accounts or organizations.
“A malicious actor constructed a targeted request to circumvent email verification during sign-up, exploiting vulnerabilities in the process,” said Yamunan. “The observed behavior suggests that attackers may employ a single email address for initial login attempts and a distinct, separate email address to verify authentication tokens.” Once electronically verified, we’ve observed certain cases where users have gained access to third-party companies through Google’s single sign-on feature.
While Yamunan confirmed that none of the suspected malicious workspace accounts were used to exploit Google entities, it is likely that the hackers attempted to masquerade as the regional administrator in order to deceive other online businesses.
When a user disclosed a breach involving Google, attackers exploited an authentication bypass to link their location with a Workspace account. The region was linked to his online account with multiple external organizations? It appears that an unauthorized Workspace account was detected by Google’s alert system and subsequently accessed the user’s account.
Google has resolved an authentication bypass issue, which is distinct from its recent challenge in managing cryptocurrency-based domains, acquired more than 10 million of last year through Google Domains.
On July 12, a significant number of domains associated with cryptocurrency firms were compromised and taken over by unauthorized parties, primarily affecting Squarespace customers who failed to secure their online presence by setting up two-factor authentication for their Squarespace accounts. Squarespace subsequently attributed the authentication issues to a vulnerability in its OAuth login process, which was quickly addressed by the company within hours.
