Researchers have identified a critical Google Workspace Security issue, which can lead to data exfiltration without leaving a trace.

This makes it invisible to security tools and officials making it a severe security issue in Google Workspace. The researchers reached out to Google Workspace for mitigation, however, the company called it an ‘intended behavior.’

“We discovered this issue approximately two months ago while conducting our SaaS and cloud threat hunts. During our investigation of Google Workspace logs and drive activity, we identified this particular deficiency in forensic visibility,” Mitiga cloud security research team leader Or Aspir told The Cyber Express.

They found that the expected logs were not getting generated while working with Google Workspace and that the issue was linked to the user license associated with Google Drive.

This observation drew the research team to know that there was a possibility of data exfiltration, which would go unnoticed by security tools.

Google, however, negated the risk of the Google Workspace security issue, Aspir told The Cyber Express.

“Unfortunately, their response indicated that the issue was considered “intended behavior”, implying that the lack of forensic visibility was not seen as a flaw requiring immediate action,” he said.

Google Workspace security issue: Possible issues

“By default, every Google Drive user starts by possessing a “Cloud Identity Free” license. To get more features, an admin must assign a paid license, in our research this license is “Google Workspace Enterprise Plus” to their users,” said the Mitiga advisory.

When a “Google Workspace Enterprise Plus” license is not assigned, there are no log records of actions in the users’ private drive.

“All users can access the Workspace and complete actions with the files inside their private company drive. They simply do so without generating any logs, making organizations blind to potential data manipulation and exfiltration attacks,” it added.

These are some of the instances where hackers manage to gain unauthorized access to data and yet go undetected. This leaves organizations with little to no information to trace and report security incidents while also losing security.

“This means that their actions can go undetected, posing a significant challenge for organizations in detecting and responding to data breaches or unauthorized access incidents,” Or told The Cyber Express.

Google hosts over six million businesses that use Google Workspace, including Google Drive. However, this also makes it a target of data exfiltration and security threats.

“We strongly urge the Google team to recognize the potential risk associated with the lack of forensic visibility for users without a paid license,” Or said when asked about what Google could have done or could still do to help secure access and systems.

It is essential to offer Google Drive logs to all users even those without a paid license as this could help in the incident response capabilities of organizations that rely on Google Workspace.

So far, the cloud security response company has not detected any instances of exploitation of the Google Workspace security issue in the wild.

How to bypass the Google Workspace security issue

According to Mitiga, customers should adopt these steps to bypass the Google Workspace security issue.

1. It is required of SOC team members to actively monitor user license revoke and assignment events. These events can help provide indicators of the compromise of data.
2. It is advised to either remove or avoid users who are found accessing the Google Workspace domain with a free license. They may be assigned a paid license for their visibility and protection of data from exfiltration.
3. “Adopting a holistic Breach Readiness Approach, maintaining a Forensic Data Lake, and having a team with a SaaS- and cloud-focused IR partner to assist companies in such inevitable cases was essential,” the researcher added.
4. Such Google Workspace security issues seek purpose-built technology and cloud forensic capabilities to be integrated by the hired IR partner.

Paid license environment can create better security because it would ensure that all user’s actions are logged and monitored for suspicious behavior.

Proactively efforts including threat hunting on one’s SaaS and cloud environment, and Google Workspace is also essential to prevent security issues.

The default Cloud Identity Free license does not ensure that all log records will be retained.

Moreover, it is also important to collect forensic data to handle security issues that could lead to Google Drive data exfiltration. Mitiga is set to release its discovery of the Google Workspace security issue today on its platform.