Share This:

Cybersecurity Threat Advisory

In this Cybersecurity Threat Advisory, we’re looking at a critical Google OAuth vulnerability that allows ex-employees to maintain access to applications such as Slack and Zoom. After off boarding, attackers can achieve access by creating non-Gmail accounts using corporate email aliases. This poses severe risks, including unauthorized access and potential data breaches. Barracuda MSP recommends disabling Google login where possible, enforcing security assertion markup language (SAML), and vigilant monitoring to mitigate these risks.

What is the threat?

This vulnerability derives from the creation of persistent non-Gmail Google accounts using corporate email aliases, posing a threat to organizations relying on Google OAuth for authentication. The specific risk is tied to former employees retaining access to platforms like Zoom and Slack after being off boarded. Attackers can exploit this by creating accounts off the corporate Google organization using email aliases and email plus sign forwarding. The critical issue lies in the persistence of these non-Gmail Google accounts, which remain undetected in administrative settings, allowing for potential unauthorized access and account takeover.

The ambiguity in Google’s OAuth documentation further complicates the situation. While it advises against using email as a primary identifier, it lacks robust preventive measures. The vulnerability allows for the creation of accounts with email claims that can be manipulated, potentially leading to two different Google accounts sending the same email claim. The vulnerability extends beyond Gmail accounts, as non-Gmail accounts can be generated using existing email addresses, amplifying the risk of unauthorized access to critical platforms.

Why is it noteworthy?

This is significant due to its potential impact on widely used services and platforms. The ability for former employees to maintain access after being off boarded introduces a high potential for damage, including unauthorized data access and potential account takeovers.

This vulnerability exposes a new attack vector, allowing individuals to exploit Google OAuth’s ambiguity to create persistent non-Gmail Google accounts. These accounts remain invisible in administrative settings, posing challenges for organizations to detect and mitigate. Given the popularity of Google OAuth for authentication, the broader implications of this vulnerability underscore the need for robust security measures, and it serves as a cautionary tale for organizations relying on OAuth for their authentication processes.

What is the exposure or risk?

Exploiting this flaw allows former employees to maintain access post-off-boarding, leading to potential data breaches and compromised security. This vulnerability’s nature, enabling persistent non-Gmail Google accounts, raises the risk of further compromise, potentially resulting in extensive unauthorized access, data exfiltration, and account takeovers. Organizations leveraging Google OAuth across various services face heightened risks, including reputational damage, financial loss, and the compromise of sensitive corporate data.

What are the recommendations?

Barracuda MSP recommends the following actions to limit the impact of a Google OAuth vulnerability:

  • Organizations:
    • Disable login with Google where possible and enforce SAML for increased security.
    • Regularly monitor Google admin consoles for suspicious activities, focusing on email claims and account creation.
  • Service Providers:
    • Implement additional checks, such as validating the HD claim, to determine organization membership.
    • Consider disallowing just-in-time account creation and opting for invite-only or LDAP group-only provisioning.
    • Those not supporting SAML, consider alternative provisioning methods, such as invite-only or LDAP group-only.
    • Regularly monitor Google admin consoles for suspicious activities, focusing on email claims and account creation.
    • Implement measures to prevent the creation of Google accounts using existing Google Organization domains.
    • Enhance administration settings to control email aliases and plus-signed accounts.
    • Extend the ban on certain Google accounts to improve overall security.
    • Regularly review and update security measures based on evolving threats and vulnerabilities.
    • Enable default notification rules to stay alert to potential security events.

References

If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.


Share This:
Anika Jishan

Posted by Anika Jishan

Anika is a Cybersecurity Analyst at Barracuda MSP. She's a security expert, working on our Blue Team within our Security Operations Center. Anika supports our XDR service delivery and is highly skilled at analyzing security events to detect cyber threats, helping keep our partners and their customers protected.

Leave a reply

Your email address will not be published. Required fields are marked *