←back to thread

Crooks Bypassed Google's Email Verification to Create Workspace Accounts, Acces

(krebsonsecurity.com)
193 points todsacerdoti | 3 comments | 26 Jul 24 21:34 UTC | HN request time: 0.419s | source
1. nurtbo ◴[27 Jul 24 00:53 UTC] No.41083697[source]
So these attackers could gain access to any account with email with a domain not currently registered to a Google Workspace? This seems like a huge breach of trust. (Especially given that it gave access to outside of Google accounts).

Is there a best practice around confirming adding social login to a pre-existing account? (Like entering current password or email confirmation?)

From the article:

> In the case of the reader who shared the breach notice from Google, the imposters used the authentication bypass to associate his domain with a Workspace account. And that domain was tied to his login at several third-party services online. Indeed, the alert this reader received from Google said the unauthorized Workspace account appears to have been used to sign in to his account at Dropbox

replies(2): >>41084026 #>>41086884 #
2. AnotherGoodName ◴[27 Jul 24 02:19 UTC] No.41084026[source]
From what’s stated they could create a new account but not gain access to an existing account. So they create “totally_the_admin@bigco.com” and then login via google elsewhere and try to use that as a way to gain further access to bigco accounts, presumably by some manual support.
3. ◴[27 Jul 24 14:37 UTC] No.41086884[source]