A previously unknown security issue in Google LLC Workspace could allow an attacker to exfiltrate data from Google Drive without being found.
Detailed Per researchers at Mitiga Security Inc. on Tuesday, the vulnerability is the result of a forensic deficiency that allows a user to exfiltrate data without generating any records of the activity. The security issue explicitly addresses actions performed by users who do not have a paid enterprise license for Google Workspace.
The researchers explain that by default, all Google Drive users start with a “Cloud Identity Free” license and that, unless an administrator assigns a paid license, no logs are recorded for actions taken in the a user’s private drive. Lack of visibility allows bad actors to manipulate or steal data without being detected.
The security flaw can be exploited in two ways. The first is that if a user’s account is compromised, a malicious actor can manipulate the user’s license to access and download private files while leaving behind only the license revocation and reassignment logs.
The second is to target employees during the process of revoking a paid license. If revoked before the account is deactivated, the account can potentially download sensitive files from a private drive without anyone noticing.
Undertaking responsible disclosure, Mitiga researchers contacted Google before making their findings public, but have yet to receive a response. Researchers recommend regular monitoring of admin log events in Google Workspace, particularly focusing on license assignment and revocation actions, as sudden changes could indicate a potential threat. If these actions occur in rapid succession, it may suggest that a malicious actor is manipulating licenses.
“Mitiga’s discovery of a ‘forensic security deficiency’ in Google Workspace once again reinforces the ongoing problem of data security in Software-as-a-Service applications,” Corey O’Connor , Director of Product at Software-as-a-service. security company DoControl Inc., told SiliconANGLE. “Apps like Google Drive and Workspace are Tier 0 applications: many organizations lack the necessary controls to prevent unauthorized access to critical data.
O’Connor noted that the lack of security controls combined with the lack of event logging leaves Google Workplace users open and exposed with virtually no visibility into who or what can access the data. “It is unrealistic to think that organizations can actively monitor logs and forensic data enough to detect malicious actors in their systems,” O’Connor said. “Unless an organization has dedicated tools and policies in place to address such SaaS data security vulnerabilities, it is likely to suffer from this “forensic deficiency.”
Your vote of support is important to us and helps us keep content FREE.
A click below supports our mission of providing free, in-depth and relevant content.
Join the community that includes more than 15,000 #CubeAlumni experts, including Andy Jassy, CEO of Amazon.com, Michael Dell, Founder and CEO of Dell Technologies, Pat Gelsinger, CEO of Intel, and many more luminaries and experts.