Google Workspace Exposed to Password Theft
Researchers have discovered new weaknesses in Google Workspace which could lead to ransomware attacks, data exfiltration and password decryption. These vulnerabilities are not considered Google-specific bugs as they fall outside the company’s threat model. However, researchers warns that these weaknesses are potentially exploitable and should not be taken lightly.
The attacks involve an organization’s use of Google Credential Provider for Windows (GCPW) which offers mobile device management (MDM) and single sign-on (SSO) capabilities. When GCPW is installed on a machine, a local Google Accounts and ID Administration (GAIA) account is created with elevated privileges. GCPW adds a credential provider to Windows’ Local Security Authority Subsystem Service (LSASS) so users can log into their Windows machine using their Workspace credentials. Attackers can steal an account’s refresh tokens in two different areas depending on the age of the token. Once created, they are briefly stored in the Windows registry value and encrypted using the CryptProtectData function.
They are then stored more permanently in the user’s Chrome profile. Decryption is possible in both locations. The authentication bypass exploit can help attackers retrieve the RSA key required to decrypt user passwords. Access tokens pose a security risk by allowing attackers to gain limited access within the boundaries defined by the token’s permissions. In contrast, having access to plaintext credentials, such as usernames and passwords, represents a more severe threat. Lateral movement exploits apply mainly to virtual machine (VM) deployments and use the common practice of cloning VMs. The initial compromise of the device comes into play here, as researchers found out the way to find the GAIA account’s credentials is to use malware capable of listing secrets stored in LSASS such as Mimikatz.
Affected Products
- Google Workspace
Mitigation Strategies
- Conduct effective cybersecurity training for employees.
References
