Google Workspace's Licensing Issue Exposes Companies to Insider Threats and Data Breaches

A recent study conducted by Mitiga has uncovered a vulnerability in Google Workspace that has the potential to put companies at risk of insider threats and data breaches. This vulnerability stems from the default licensing configurations of Google Drive, which may allow former employees with ill intentions and malicious posers to gain access to confidential files of the company from the cloud.

Mitiga researchers have found that all Google Drive users begin with a license called "Cloud Identity Free." To unlock more features, an admin must assign a paid license, like Google Workspace Enterprise Plus, to the user. Once the paid license is assigned, the employee's activities, including deleting, copying, downloading, and sharing files, are closely watched and documented using the "Drive log events" feature.

A significant risk arises when the employee's paid license is either taken away or not granted, particularly when it comes to employees facing termination. If the license is taken away before the employee's Google account is disabled or deleted, it opens up the possibility for the employee to secretly access and install their files from their personal drive without triggering any notifications. This creates an opportunity for a disgruntled ex-employee to expose sensitive data through a retaliatory breach and overall, become an insider threat.

Mitiga reveals that individuals lacking a paid license in Google Workspace retain the ability to view shared drives. They can freely duplicate all files from the shared drive to their private storage and install them, leaving no discernible logs or traces. This grants potential threat actors the advantage of covering their tracks following the illicit acquisition of valuable data.

The concern revolves around the logging mechanism employed by Google Drive. The process involves two distinct types of log records, namely "copy" and "source_copy", which pertain to file-copying activities. Users without a paid license are limited to generating "source_copy" records exclusively when they access cloud storage within an organization. The absence of comprehensive logging for download actions from a user's personal drive implies that if a company solely focuses on detecting "copy" events while overlooking "source_copy" incidents related to data theft, they will fail to identify instances of data exfiltration.

Mitiga asserts that they have made efforts to inform Google about this vulnerability but have not received an official response from the tech giant. The cybersecurity analyst implies that Google's security team frequently overlooks the significance of forensics deficiencies as a security concern, drawing on their past advisories.

The vulnerability in Google Workspace's default licensing settings raises concerns about the potential exposure of sensitive company data to insider threats. It highlights the need for organizations to review their access control and user management processes, ensuring that licenses are appropriately assigned and revoked to prevent unauthorized access to cloud resources.


Read next: This Report Reveals the Dangers of Second Hand Data Storage
Previous Post Next Post