A recent authentication weakness in Google’s email verification process for Google Workspace accounts allowed cybercriminals to bypass email verification and gain access to third-party services using Google’s “Sign in with Google” feature. This flaw allowed attackers to impersonate the domain holder and potentially compromise accounts on unrelated platforms.
According to Google, the issue was discovered and fixed within 72 hours after it was identified. Anu Yamunan, director of abuse and safety protections at Google Workspace, stated that the malicious activity started in late June and affected “a few thousand” Workspace accounts that were created without proper domain verification.
The exploit targeted Google Workspace’s free trial users who could access services like Google Docs without domain verification. However, Gmail and other services require domain validation to verify control over the email address’s domain name. The authentication bypass allowed attackers to create Workspace accounts without going through the validation process, enabling them to access third-party services using Google single sign-on.
While none of the compromised accounts were used to abuse Google services directly, the attackers primarily aimed to impersonate domain holders on other online platforms. In one reported case, the attackers associated a victim’s domain with a malicious Workspace account, subsequently using it to sign in to the victim’s accounts on third-party services like Dropbox.
Google clarified that this authentication bypass is unrelated to a recent incident involving cryptocurrency-based domain names transitioning to Squarespace, where domains tied to cryptocurrency businesses were hijacked due to OAuth login weaknesses. Squarespace addressed and resolved the issue promptly.
Overall, Google promptly addressed the email verification vulnerability in Workspace accounts and implemented additional detection measures to prevent similar authentication bypasses in the future. It serves as a reminder of the importance of robust security measures to safeguard user accounts and sensitive information from malicious actors.