A security weakness in the Google Workspace platform allowed hackers to bypass the email verification required to create accounts. The flaw was exploited to impersonate domain holders across various third-party services utilizing the “Sign in with Google” feature.

The vulnerability, as reported by KrebsOnSecurity, was discovered in the email verification process for new Google Workspace accounts. Hackers managed to circumvent this feature, enabling unauthorized access to third-party services through Google’s single sign-on system.

According to Google Workspace’s Anu Yamunan, the attackers’ tactic was to create a specifically-constructed request by a bad actor to circumvent email verification during the sign-up process.

“The vector here is they would use one email address to try to sign in, and a completely different email address to verify a token. Once they were email verified, in some cases we have seen them access third-party services using Google single sign-on, ” Yamunan said.

Google’s engineers confirmed the exploitation of the issue in recent weeks. The company said it identified a small-scale campaign where the threat actors bypassed the email verification step in the account creation flow for Email Verified (EV) Google Workspace accounts using a specially constructed request. These EV users could then be used to gain access to third-party applications using ‘Sign In with Google.’

Google said that the campaign affected “a few thousand” accounts, starting in late June. However, user comments on TheHackerNews and KrebsOnSecurity suggest the issue might have been exploited as early as early June, indicating the vulnerability could have been present for at least two months before being addressed.

The malicious activity involved Google Workspace accounts created without domain verification. Google Workspace typically offers a free trial, providing access to services like Google Docs, while restricting Gmail to users who validate domain ownership. The flaw allowed attackers to bypass this validation process, though Google emphasized that none of the affected domains had previously been associated with Workspace accounts or services.

Yamunan noted that the attackers primarily aimed to impersonate domain holders on other online services rather than abuse Google’s services.