Google Fixes Security Vulnerability Allowing Unverified Accounts
Google has addressed a security vulnerability that allowed attackers to create unauthorized Google Workspace accounts without email verification. The issue, which affected 'a few thousand' accounts, was exploited to impersonate domain holders at third-party services using the 'Sign In with Google' feature.
The tactic involved crafting a specific request to bypass email verification during Gmail login. None of the affected domains were previously associated with Workspace accounts or services. The unauthorized accounts were not used to abuse Google services but were exploited elsewhere online, with one instance involving a Dropbox account.
Squarespace also experienced a domain hijacking incident due to a related OAuth login weakness, which it resolved within hours. Google emphasized that the now-fixed authentication bypass is unrelated to a recent issue involving cryptocurrency domain name compromises during transition to Squarespace.
Google has patched the authentication weakness, ensuring that email verification is now enforced during Google Workspace account creation. The company emphasizes that no abuse of Google services occurred, and the affected domains were not previously associated with Workspace accounts. Users are advised to remain vigilant and report any suspicious activity.
