November 15, 2023 at 01:36PM
Researchers at Bitdefender have identified weaknesses in Google Workspace that could potentially lead to ransomware attacks, data exfiltration, and password decryption. These vulnerabilities could also be used to access Google Cloud Platform with custom permissions and propagate from one machine to another. Google has stated that these weaknesses are outside its threat model and will not receive security fixes. However, Bitdefender warns that these weaknesses should not be taken lightly as threat actors often exploit such gaps in coverage.
The meeting notes provide information about novel weaknesses in Google Workspace that have been exposed by researchers. These weaknesses could potentially lead to ransomware attacks, data exfiltration, and password decryption. Bitdefender, the researchers, state that these weaknesses also apply to Google Cloud Platform (GCP) and could be used to access GCP with custom permissions and move from machine to machine.
Google has informed the researchers that these weaknesses will not be addressed or receive any security fixes as they fall outside the company’s threat model. Google considers vulnerabilities that rely on compromised local machines, like the ones highlighted by Bitdefender, to be covered by an organization’s existing security controls and not specific to Google.
Bitdefender emphasizes that these weaknesses should not be taken lightly, as threat actors often seek out and exploit gaps in coverage. They highlight the use of Google Credential Provider for Windows (GCPW) in Windows organizations as the focal point of the attacks. GCPW creates a local Google Accounts and ID Administration (GAIA) account with elevated privileges for users to log into their Windows machines using their Workspace credentials.
The weaknesses described in the research include the stealing of refresh tokens and bypassing multi-factor authentication (MFA). Attackers can steal refresh tokens stored in the Windows registry or the user’s Chrome profile, which can then be used to access various Google services. Bitdefender also mentions the potential for attackers to exploit the Vault API to exfiltrate emails and files within an organization.
Furthermore, the research identifies an authentication bypass exploit that can help attackers retrieve the RSA key required to decrypt user passwords. Bitdefender considers this to be the more serious exploit, as it enables unrestricted access to user accounts and potentially leads to complete account takeover.
The lateral movement exploit mentioned in the meeting notes applies to VM deployments, particularly in scenarios with cloned VMs. If multiple machines have been cloned from another, attackers who acquire the credentials of one machine can traverse the others.
Bitdefender highlights the importance of addressing these vulnerabilities, even though they may fall outside Google’s threat model. They argue that a compromise of a local machine can lead to an attack on an organization’s cloud infrastructure. However, Google’s response during the vulnerability disclosure process indicates that they have reviewed and considered the security of the affected areas and have determined that they align with Chrome’s intended practices.
In conclusion, the meeting notes provide an overview of the weaknesses in Google Workspace uncovered by Bitdefender and the response from Google. These weaknesses involve stealing refresh tokens, bypassing MFA, decrypting passwords, and lateral movement in VM deployments. While Google has declined to address these weaknesses, Bitdefender emphasizes the potential risks posed by threat actors exploiting these vulnerabilities.