Technical details of long-since patched Google cloud software vulnerability released
A security researcher has released details of a high-impact, but long-since patched vulnerability in Google’s GSuite that allowed an attacker to add themselves as a super admin on any organization’s account.
Back in 2018, researcher Cameron Vincent was probing Google’s attack surface for bugs under the tech giant’s Vulnerability Reward Program (VRP).
The object of his attention was GSuite – Google’s suite of cloud computing, productivity, and collaboration tools that was rebranded as Workspace last year – particularly the domain.google.com registrar feature.
“In GSuite the main admins of the organization are super admins,” Vincent explains in a blog post published this week (November 9). “They can create group[s], manage users, change users’ passwords, [and] manage everything.”
After creating a GSuite account subscription, the super admin uses domains.google.com to manage users, add other admins, and manage payment methods.
In examining the ‘add new user’ process through domains.google.com, Vincent discovered that simply manipulating POST requests could allow an attacker to add themselves as administrator of any organization’s GSuite account.
“There are two things needed to do this,” he said. “First, you need the domain of the GSuite org… and then the ID of the GSuite organization you are targeting.”
A proof of concept video shows the attack in action.
In written comments to The Daily Swig this week, Vincent confirmed that he discovered the flaw back in 2018 – well before GSuite’s rebranding to Workspace, as the software package is now known.
He decided to release the details this week as part of a wider project to revisit his previous security research under Google and Microsoft’s bug bounty programs.
“It was properly disclosed through Google’s VRP program and [I] was given a bounty,” he said.
Still, the huge popularity of the software (more than four million businesses were said to be using GSuite in 2018) and easy-to-exploit nature of the bug will no doubt make sobering reading for sysadmins.
Google did not immediately respond to our request for comment. This article will be updated if we hear back.
Vincent is currently second in Google’s 0x0A bug hunter leaderboard.