Google fixes vulnerability that allows users to bypass email authentication when creating a Google Workspace account and access third-party apps via 'Sign in with Google'



Google has announced that it has fixed a vulnerability that could allow hackers to bypass the email authentication system required to create a Google Workspace account. The vulnerability allowed hackers to pose as legitimate domain owners and gain unauthorized access to third-party services that offer the 'Sign in with Google' feature.

Crooks Bypassed Google's Email Verification to Create Workspace Accounts, Access 3rd-Party Services – Krebs on Security
https://krebsonsecurity.com/2024/07/crooks-bypassed-googles-email-verification-to-create-workspace-accounts-access-3rd-party-services/



Google Workspace security flaw exposed thousands of accounts to hackers - Neowin
https://www.neowin.net/news/google-workspace-security-flaw-exposed-thousands-of-accounts-to-hackers/

When creating a Google Workspace account with an email address, users are required to verify that the email address is theirs. However, there was a way to circumvent this email verification step, and Google has fixed it. According to Google, it was possible to try signing in with an email address, and then authenticate using an entirely different email address.



'Over the past few weeks, we have identified a small-scale fraud campaign in which bad actors are using specially crafted requests to bypass the email authentication process in the Google Workspace account creation flow. These users may then use Sign in with Google to access third-party applications,' Google said in an email statement to affected users.



According to security blog KrebsOnSecurity, Google fixed the issue within 72 hours of discovering it, and Anu Yamnan, director of abuse and security for Google Workspace, said, 'The malicious activity began in late June 2024 and appears to involve thousands of Google Workspace accounts that were created without email authentication.'

In fact, KrebsOnSecurity readers reported that 'unauthorized Google Workspace accounts appeared to be used to sign in to their Dropbox accounts.' However, IT news site Neowin said that readers had also reported that 'Google claims that the problem occurred in late June, but the problem had already occurred in early June,' and that 'the company faced similar problems in 2012 and 2023.'

In light of this situation, Neowin pointed out the lack of transparency in Google's response. He called for clearer and more detailed public disclosure of the timeline and full scope of the security issues, as well as an explanation of the proactive measures they are taking to prevent future breaches. He also suggested that Google should acknowledge the issue in an official blog post, demonstrating their commitment to transparency and user trust.

in Web Service,   Security, Posted by log1i_yk