Technical details of long-since patched Google cloud software vulnerability released

Researcher details easy-to-exploit bug that exposed GSuite accounts to full takeover

A security researcher has released details of a high-impact, but long-since patched vulnerability in Google’s GSuite that allowed an attacker to add themselves as a super admin on any organization’s account.

Back in 2018, researcher Cameron Vincent was probing Google’s attack surface for bugs under the tech giant’s Vulnerability Reward Program (VRP).

The object of his attention was GSuite – Google’s suite of cloud computing, productivity, and collaboration tools that was rebranded as Workspace last year – particularly the registrar feature.

RELATED Google awards Uruguayan researcher $133,337 top prize in cloud security competition

“In GSuite the main admins of the organization are super admins,” Vincent explains in a blog post published this week (November 9). “They can create group[s], manage users, change users’ passwords, [and] manage everything.”

After creating a GSuite account subscription, the super admin uses to manage users, add other admins, and manage payment methods.

Manipulating requests

In examining the ‘add new user’ process through, Vincent discovered that simply manipulating POST requests could allow an attacker to add themselves as administrator of any organization’s GSuite account.

“There are two things needed to do this,” he said. “First, you need the domain of the GSuite org… and then the ID of the GSuite organization you are targeting.”

A proof of concept video shows the attack in action.

Read more of the latest web security research from around the world

In written comments to The Daily Swig this week, Vincent confirmed that he discovered the flaw back in 2018 – well before GSuite’s rebranding to Workspace, as the software package is now known.

He decided to release the details this week as part of a wider project to revisit his previous security research under Google and Microsoft’s bug bounty programs.

“It was properly disclosed through Google’s VRP program and [I] was given a bounty,” he said.

Still, the huge popularity of the software (more than four million businesses were said to be using GSuite in 2018) and easy-to-exploit nature of the bug will no doubt make sobering reading for sysadmins.

Google did not immediately respond to our request for comment. This article will be updated if we hear back.

Vincent is currently second in Google’s 0x0A bug hunter leaderboard.

RECOMMENDED Smuggling hidden backdoors into JavaScript with homoglyphs and invisible Unicode characters