Cybersecurity researchers from Bitdefender claim to have found severe weaknesses in Google Workspace which could allow threat actors to deploy ransomware, steal sensitive data, and decrypt stored passwords.
Google, on the other hand, says the actual problem lies elsewhere and as far as it’s concerned – this is a non-issue.
In its report, Bitdefender says the problem began with an organization using the Google Credential Provider for Widows (GCPW) which can be used for mobile device management (MDM) and single-sign-on (SSO).
Google sees no problem
When the company installs GCPW, it creates a local Google Accounts and ID Administration (GAIA) account, as well. This account has high privileges. GCPW then proceeds to add a new Credential Provider to the Local Security Authority Subsystem Service (lsass), allowing users to log into their Windows machine using their Workspace credentials.
Furthermore, GAIA creates a new local account for users that authenticate using GCPW, and associates the local account with the Workspace account. This local account also houses refresh tokens that provide access to Google APIs.
And that’s part of the problem – hackers can steal these refresh tokens and later decrypt them using adjacent tools like Mimikatz. The attackers can also issue tokens by crafting specific POST requests, giving themselves permission to access any services within the token’s scope. This, in turn, would allow them to steal data from further services such as Gmail or Google Drive. Furthermore, there are ways to abuse the tool to move laterally between virtual machine (VM) deployments.
But Google is having none of it. It says the weaknesses fall outside of the company’s threat model, and as such will not receive any security upgrades. According to the company, the entire vulnerability chain relies on the local machine being previously compromised, which is something the target firm should be handling, and not Google. In other words, if a machine gets compromised like this, access to Google Workspace will be the least of the victim’s concerns.
Still, Bitdefender argues that Google shouldn’t be turning a blind eye on this weakness as it’s realistic for it to be abused. “Threat actors often seek out and exploit these gaps in coverage,” the company concluded.