WTH? Google Auth Bug Lets Hackers Login as You
Domain owners flummoxed as strangers get Google for their domains.
The Google Workspace business apps service sprang a leak last month. Scrotes were able to register a domain without actually owning the domain. Balderdash and piffle!
Naturally, this caused a kerfuffle with the true domain owners. In today’s SB Blogwatch, we deobfuscate the circumstance.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Fossil words.
G Suite Sours
All aboard! Climb up on the Brian Krebs cycle: Crooks Bypassed Google’s Email Verification to Create Workspace Accounts, Access 3rd-Party Services
“Circumvent email verification”
Google … fixed an authentication weakness that allowed crooks to circumvent the email verification required to create a Google Workspace account, and leverage that to impersonate a domain holder at third-party services. … Google said it fixed the problem within 72 hours of discovering it, and that the company has added additional detection to protect against these types of authentication bypasses.
…
Anu Yamunan, director of abuse and safety protections at Google Workspace, [said] “The tactic here was to create a specifically-constructed request … to circumvent email verification during the signup process. … They would use one email address to try to sign in, and a completely different email address to verify a token. Once they were email verified, in some cases we have seen them access third party services using Google single sign-on.”
Google Whosit? Pradeep Viswanathan explains what this Google Workspace thing is:
“Lack of transparency”
Google Workspace allows businesses to create professional email addresses using their company’s domain name, such as [email protected]. Businesses can also access Google Drive, Gmail calendars, Google Meet, and more through a Google Workspace account.
…
Google recently found that hackers were able to bypass the email verification system, which is needed to create a Google Workspace account. … Even worse, the created Google Workspace account could be used at third-party services that allow “Sign in with Google” as a login mechanism.
…
Google’s lack of transparency … raises concerns. A clear and detailed public disclosure, including proactive steps taken to prevent future breaches, would be a more responsible approach [and] would demonstrate a commitment to transparency and user trust.
What should domain owners do? Alap Naik Desai suggestifies thuswise: Google email verification bypassed
“Change passwords if necessary”
It would be wise to exercise caution for the next few weeks. … Pay attention to emails that confirm subscriptions, logins, or purchases.
…
Internet users may receive legitimate emails from authentic service providers informing them of purchases or logins from unrecognized or suspicious locations. It would be prudent to check possible unauthorized access and change passwords if necessary.
Still confused? Heed mcoliver’s experience:
I got hit by this. On June 6 I got an email from Google saying welcome to Google Workspace. [But] I don’t have Google workspace for this domain. [So, I] tried to sign in and was told that the admin account was an email on my domain (e.g., [email protected]). OK, created that account so I could receive email, except then Google said that I had to use the backup recovery email, which happened to be [email protected].
Google said that non verified workspaces … would be automatically deleted after 7 days. [But] 14 days later the workspace was still there. I had to go through a convoluted … process to get my workspace domain back and then properly register it so this would not happen again.
…
1) You shouldn’t be able to create a workspace with a custom domain without verifying it via DNS records.
2) The established admin account with a custom domain email address should be eligible to perform recovery. Not some arbitrary secondary Gmail account.
Why is this such a big deal? Latent Heat explains:
They weren’t doing this to access the [Google Workspace] productivity tools. Rather, to spoof their online credentials for other, potentially malicious purposes.
ELI5? nottorp explains like you’re five:
So if you own example.com and use [email protected] as log in to greatonlinegame.com, someone can register example.com with google workspace and then they can use “login with Google” to log in [with] [email protected] account at greatonlinegame.com.
Ohhh—an OAuth bug? Bryan Walsch Jr reacts logically:
I never sign in with Google. I will forget which ones I did it for. If its that important, create a unique user ID and Password. And write it down (keep a fake written book if you’re afraid someone will steal it).
…
The rule of “don’t write it down” has ended up costing online users billions — just keep your book in a fire safe. … If someone is stealing your fire safe you have bigger problems than passwords.
Are you feeling some déjà vu? @_prbh is, too:
Authentication bypass by merely changing the email address during the token verification step. Quite similar to the Apple iCloud bug from sometime back.
Meanwhile, Paul B is not a happy bunny:
This is kindergarten-level security. … Google=evil.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.