←back to thread

Crooks Bypassed Google's Email Verification to Create Workspace Accounts, Acces

(krebsonsecurity.com)

193 points todsacerdoti | 1 comments | 26 Jul 24 21:34 UTC | HN request time: 0.001s | source

Show context

nottorp ◴[27 Jul 24 08:43 UTC] No.41085277[source]▶

>>41082502 (OP) #

So if you own example.com and use bigboss@example.com as log in to greatonlinegame.com ...

Someone can register example.com with google workspace and then they can use "login with google" to log in to your bigboss@example.com account at greatonlinegame.com, even though your account did not use "login with google".

Did i get it right?

And if i did, i wonder...

Why aren't these logins separate on greatonlinegame.com? If I did it i'd allow a login only by the method that was used to create the account, unless the user configures it otherwise.

replies(3): >>41086865 #>>41087234 #>>41088500 #

1. haakon ◴[27 Jul 24 14:34 UTC] No.41086865[source]▶

Your understanding is correct. It happened to me; someone made a Workspace for a domain name I own, and made a user on that workspace to match an email address I have on that domain, and then used "Sign in with Google" on Dropbox. Luckily I don't use Dropbox, so instead of gaining access to my files there, it just resulted in a new Dropbox account being created.

I noticed all this, of course, because I got email notifications for all of it.