We all get irritated at times by email verification systems, while also knowing that they keep our accounts and information safe. Imagine the shock, when it turns out criminals bypassed that verification. Google has admitted to fixing an authentication weakness with Workspace accounts, which allowed criminals to bypass email verification.
Google Admits to Compromising Workspace Accounts
This admission stems from a person notifying a cybersecurity blog, explaining that they had received a notice that their email address had been used to create a Workspace account. Google blocked it, as it was potentially malicious.
Image source:
Google
The notice from Google read that they had identified a campaign by cybercriminals that bypassed email verification to create Email Verified Google Workspace accounts via a “specially conducted request.” This allowed the criminals to get access to third-party apps that use “Sign in with Google”.
Google went on to say it fixed the weakness within 72 hours of finding it. It has also added more detection, to hopefully thwart the authentication from being bypassed in the future.
How Cybercriminals Bypassed Email Verification
Director of Abuse and Safety Protections at Google Workspace, Anu Yamunan, told the cybersecurity blog that the criminal activity started in late June, and “a few thousand” Workspace accounts were created without the email verification.
It was important that they find a way to bypass the system, as only Google Workspace accounts that can verify that they have control over the domain name associated with their email address can have access to services that aren’t in the free trial. Before this, none of the domains that were affected had been associated with a Workspace account.
The cybercriminals used one email address to attempt to sign in and a different one to verify a token. Once the email had been verified, they would sometimes access a third-party service using a Google sign-on.
It’s worth noting, too, that none of the Workspace accounts were used to affect Google services negatively – just impersonate domain holders. The person who contacted the blog said the process was used to associate his domain with a Workspace account. His domain is connected to multiple third-party services, and Google informed him that the unauthorized Workspace account was used to sign in to his account with Dropbox.
It sounds like if you haven’t received a notice from Google about your email, you don’t need to worry about your domain. But you may still become frustrated, knowing that you have to provide email verification when signing in with Google, even though cybercriminals figured out a way to bypass that step. You also may want to check out this Clario review of a cybersecurity app.
Image credit: Unsplash
Subscribe to our newsletter!
Our latest tutorials delivered straight to your inbox
Sign up for all newsletters.
By signing up, you agree to our Privacy Policy and European users agree to the data transfer policy. We will not share your data and you can unsubscribe at any time. Subscribe
Laura Tucker –
Contributor
Laura has spent more than 20 years writing news, reviews, and op-eds, with the majority of those years as an editor as well. She has exclusively used Apple products for the past 35 years. In addition to writing and editing at MTE, she also runs the site’s sponsored review program.
Leave a comment