[UPDATE 09.06.22 – 12:00 CET] In response to recent reports concerning a potential security flaw in Google Workspace, the company's PR team has issued a statement to clarify the situation and reassure users about the platform's security measures. The alleged flaw, which was reported to facilitate hidden data theft, was described as a “theoretical construction”, with no specific evidence of actual user impact.
Google's statement emphasized that organizations seeking robust auditing, as referenced in the report, are typically already using Google Workspace enterprise licenses. These licenses come with extensive auditing capabilities, ensuring a high level of security and data protection.
The company further clarified that any Google Workspace or Edu Drive license includes access to the types of audit logs mentioned in the report. These logs help security teams maintain audit trails in Google Workspace and provide detailed information about admin activity, data access, and system events. Google Workspace admins can access these logs via the Admin Console and can customize and export logs as required.
Google also addressed the role of Cloud Identity Free, stating that it is designed to enable limited access to Drive for non-sensitive data. It is not intended for the types of organizations that generally require the advanced auditing options provided by Google Workspace enterprise licenses.
The company's statement also highlighted the comprehensive control Google Workspace offers to administrators. The Admin Console allows administrators to configure infrastructure, applications, and system integrations in a single dashboard, simplifying administration and configuration regardless of the organization's size.
For users seeking to add these advanced capabilities, Google Workspace Enterprise Essentials is available. This package includes a Starter Edition that is free for up to 100 users.
Regarding Google Drive specifically, the company stated that Cloud Identity Free is the default license for all Google Cloud Platform (GCP) customers. All Workspace licenses, including but not limited to Enterprise Plus, include audit logging for Google Drive.
[05.06.22 – 11:03 CET] Researchers at Mitiga Security have discovered a previously unknown security issue in Google Workspace that could allow an attacker to exfiltrate data from Google Drive without leaving any trace. This vulnerability is due to a forensic deficiency that allows a user to exfiltrate data without generating any record of the activity. The security issue is particularly relevant to actions carried out by users who don't have a paid enterprise license for Google Workspace.
Forensic Deficiency and Exploitation
By default, all Google Drive users start with a “Cloud Identity Free” license. Unless an administrator assigns a paid license, no logs are recorded for actions taken within a user's private drive. This lack of visibility makes it possible for threat actors to manipulate or steal data without detection. The security vulnerability can be exploited in two ways.
The first method involves a threat actor compromising a user's account, manipulating the user's license to access and download private files while leaving behind only logs of license revocation and reassignment. The second method targets employees during the process of revoking a paid license. If the license is revoked before the account is disabled, the account can potentially download sensitive files from a private drive unnoticed.
Mitiga researchers recommend regular monitoring of Admin Log Events in Google Workspace, especially focusing on license assignment and revocation actions, as sudden changes could indicate a potential threat. If these actions occur in quick succession, it may suggest a threat actor is manipulating licenses. They also suggest monitoring “source copy” events in threat-hunting efforts to catch cases where an employee or a threat actor copies files from the shared drive to a private drive and downloads them from there.
Despite reaching out to Google before going public with their findings, the Mitiga researchers have yet to receive a response. Google's security team typically does not recognize forensics deficiencies as a security problem.
Forensic Security Deficiencies
A forensic security deficiency is a situation where an organization fails to implement adequate measures to protect and preserve digital evidence in case of a cyberattack or a legal dispute. A forensic security deficiency can have serious consequences for the organization, such as losing valuable data, compromising customer privacy, facing legal liabilities, or damaging its reputation. To avoid a forensic security deficiency, an organization should adopt a proactive approach to forensic security, which includes developing policies and procedures for collecting, storing, analyzing, and presenting digital evidence, as well as training staff and conducting regular audits and tests.
This discovery of a ‘forensic security deficiency' in Google Workspace highlights the ongoing issue of data security in software-as-a-service applications. Applications like Google Drive and Google Workspace are Tier0 apps – many organizations lack the necessary controls to prevent unauthorized access to critical data. The lack of security controls combined with the absence of event logging leaves Google Workspace users open and exposed with virtually no visibility into who or what can access data.