Cybersecurity researchers from Mitiga found a serious vulnerability to Google Workspace, which allows attackers to download files from Google Drive without any traces in systemic magazines. This creates a very real risk of data leakage for enterprises, which the company can only learn about when it begins to blackmail it.
The vulnerability is that for Google Workspace users with a free Cloud Identity Free license, there are no disk logs in which file actions would be recorded. However, users with a paid Google WorkSpace Enterprise Plus license, of course, are created. This fact makes the organization literally blind to potential attacks with data exfiltration. And this applies not only to small organizations that cannot afford a license, the problem is much more serious.
“The Google Workspace Free License is used by default when adding a new user to your domain, which means that even with a paid corporate license, you will not receive any activity journals from the personal disk of new users. This is the main problem because without without You can’t see these magazines who potentially upload data to their personal disk, ”explains OR Aspire, head of the Mitiga cloud research team
“If private users without a paid license have permission to access some total discs of the company, they can copy files from a common disk to their own. And then, when the user will download these copied files from his disk, the company will not receive No logs or notifications about it, ”added Aspir.
Researchers identified two main attack scenarios. The first is to compromise a specific account of the current employee of the enterprise. The hacker can withdraw the license of a hacked account, copy the necessary data from the general disk (after all, previously issued access does not disappear after the license) and download it from the “disk. When the “work is done”, the attacker repeatedly appoints a license. With this scenario, the only notes in the journal that will be created is a review and re -purpose of the license. And even if it looks suspicious, or the employee will notice the hacking of his account, no one will know what kind of data was stolen.
The second script is an internal attack. If an employee that has a grown offense leaves the company, he can copy all the corporate data to his own disk in advance in advance, while he still has access. And then, when it is fired, and the license will be responded, he will be able to download all these data from his disk without any notification for the company.