Researchers have found numerous security vulnerabilities in Google Workspace that risk breaches. While the vulnerabilities pose a serious threat to the users, Google denies fixing the bugs as they do not match with Google’s threat model.
Numerous Vulnerabilities Found In Google Workspace
Bitdefender researchers spotted multiple security weaknesses in the Google Workspace. As elaborated, the researchers found these vulnerabilities when analyzing Google Workspace and Google Cloud Platform while developing their XDR sensor.
Exploiting these vulnerabilities lets an adversary to gain network-wide access by compromising a single target account. In worst-case exploits, attackers may even wage a ransomware attack, moving laterally on the network and infecting systems with the Google Credential Provider for Windows (GCPW) installed.
Besides, such exploitations may also allow decrypting and stealing stored passwords, and gain access to the cloud platform with custom permissions, moving “beyond the Google ecosystem.”
The vulnerability exists because the GCPW uses “Google Accounts and ID Administration” (GAIA) service accounts to validate Google Workspace credentials. Since this account is created with escalated privileges, any exploitations involving this service pose a serious threat.
Bitdefender has explained the different exploitation scenarios in detail in their post.
Google Says No Plans To Patch
Upon discovering Google Workspace vulnerabilities, Bitdefender reported the matter to Google officials. However, given that the exploits require an attacker to compromise a local machine, Google refused to address the vulnerabilities as they lie outside of their threat model.
Nonetheless, Bitdefender disclosed the weaknesses publicly to aware users following the responsible bug disclosure. As they highlighted, while local exploits may lie outside Google’s threat model, they still remain a serious issue demanding attention. That’s because the threat actors keep looking for such vulnerabilities to perform large-scale attacks.
Recently, another security researcher highlighted a similar issue that Google chose not to address. While those vulnerabilities didn’t precisely threaten Google, they risked the users of other apps built on the vulnerable Google Electron software, including PureVPN, Slack, and others.
Let us know your thoughts in the comments.