(krebsonsecurity.com)

193 points todsacerdoti | 1 comments | 26 Jul 24 21:34 UTC | HN request time: 0.206s | source

Show context

breakingcups ◴[27 Jul 24 15:28 UTC] No.41087191[source]▶

This is a big deal, nobody would expect Google to fuck up this badly, least of all the parties who support Google's social login.

That means that, even if you don't want anything to do with Google at all, others could have impersonated you by registering a Google Workspace trial account on your email address, "verifying" their account through this vulnerability, and logging in to third-party sites (that support Google login) by using your email address.

replies(1): >>41096188 #

1. mystified5016 ◴[28 Jul 24 21:40 UTC] No.41096188[source]▶

>>41087191 #

> nobody would expect Google to fuck up this badly

This isn't the first time something like this has happened at google. This is like the third "gain access to google resources in an workspace you don't own" exploit in the last year.

This should be expected at this point.

↑

Crooks Bypassed Google's Email Verification to Create Workspace Accounts, Acces