Google's Workspace Suite Exposed for Security Flaws and Ignoring User Feedback
Brook.X
Google's corporate office suite, Workspace, has recently been identified with significant security vulnerabilities that have persisted for nearly two months. Google initially downplayed these reports, leading to a vast number of accounts being accessed without authorization.
In a security announcement, Google admitted that hackers were able to craft requests that bypass the email verification system required for creating Workspace accounts. Typically, users must verify their email to create an account associated with their enterprise or organization.
Hackers bypassed the verification process with specially crafted requests to create Workspace accounts. These accounts could then be used as Single Sign-On (SSO) credentials to access other services used by the enterprise, such as Google Drive, potentially leading to data breaches.
Google stated in emails sent to affected enterprises:
"In the past few weeks, we've identified a small-scale abuse activity where bad actors bypassed our email verification steps using specially constructed requests. These users could then access third-party applications via Google login.
The issue began in late June and affected thousands of Workspace accounts. Google fixed the problem within 72 hours of discovery and added extra detection features to prevent such bypassing of authentication."
However, numerous users on HN complained about Google's dishonesty. One user reported being affected by the issue as early as June 6, not late June as Google claimed; another mentioned encountering a similar problem in July 2023.
One user reported the issue to Google on June 7:
"Google's statement is far from the truth. The attack started in early June, and I was among the victims at that time. I even have a ticket number from reporting the issue on June 7."
From user accounts, it's evident that Google has been misleading. The occurrence of such a problem in the enterprise-level office suite Workspace is unacceptable. Still, the bigger issue seems to be Google's disregard for regular user reports, only addressing the issue when a security research team reported the same problem.
Given the duration of this vulnerability, it's likely that more than just a few thousand customers were affected. Consequently, many users now question Google's transparency. Such a significant security issue should be disclosed promptly and comprehensively, without overlooking user reports.
