Crooks Bypassed Google's Email Verification To Create Workspace Accounts, Access 3rd-Party Services (krebsonsecurity.com) 7
Brian Krebs writes via KrebsOnSecurity: Google says it recently fixed an authentication weakness that allowed crooks to circumvent the email verification required to create a Google Workspace account, and leverage that to impersonate a domain holder at third-party services that allow logins through Google's "Sign in with Google" feature. [...] Google Workspace offers a free trial that people can use to access services like Google Docs, but other services such as Gmail are only available to Workspace users who can validate control over the domain name associated with their email address. The weakness Google fixed allowed attackers to bypass this validation process. Google emphasized that none of the affected domains had previously been associated with Workspace accounts or services.
"The tactic here was to create a specifically-constructed request by a bad actor to circumvent email verification during the signup process," [said Anu Yamunan, director of abuse and safety protections at Google Workspace]. "The vector here is they would use one email address to try to sign in, and a completely different email address to verify a token. Once they were email verified, in some cases we have seen them access third party services using Google single sign-on." Yamunan said none of the potentially malicious workspace accounts were used to abuse Google services, but rather the attackers sought to impersonate the domain holder to other services online.
"The tactic here was to create a specifically-constructed request by a bad actor to circumvent email verification during the signup process," [said Anu Yamunan, director of abuse and safety protections at Google Workspace]. "The vector here is they would use one email address to try to sign in, and a completely different email address to verify a token. Once they were email verified, in some cases we have seen them access third party services using Google single sign-on." Yamunan said none of the potentially malicious workspace accounts were used to abuse Google services, but rather the attackers sought to impersonate the domain holder to other services online.
Re: And what did he put there? (Score:2)
Or maybe it is a terrible headline and they mean plural lowercase crooks, as in 1950s word for criminals?
Re: (Score:2)
We like to pretend that the editors don't live in a political bubble and Secret Service was in charge of Google's authentication software.
But the planet isn't melting and Google's not trying to orchestrate a coverup of this auth bypass so those are just recreational beliefs.
Why is this post down-moderated? (Score:2)
OK, maybe it is a silly question, but I think it was asked in earnestness because of the confusion of the headline.
What were they planning-- to get a job (Score:2)
Workspaces! What is this world of coming to, when our people are threatened by crooks with productivity tools!
The were planning to "do a job" (Score:2)
TFA suggests that they weren't doing this to access the productivity tools, rather, to spoof their online credentials for other, potentially malicious purposes.