A free Google Workspace subscription could open the door for attackers to abscond with data from Google Drive without leaving any signs of their unauthorized actions due to the absence of event logging.
A group of researchers from Mitiga unearthed what they have termed a significant “forensic security gap” within the widely used productivity application, stemming from the non-generation of logs for those who are not paid enterprise Workspace subscribers. This revelation was made in a Mitiga blog post on May 30, expressing concerns that businesses could be vulnerable to insider threats and other data breaches.
Google Workspace Enterprise Plus subscribers and other paid members gain insight into Google Drive activities through “drive log events”. These record actions such as copying, deleting, downloading, and viewing files. However, according to the researchers, organizations that only have the default Cloud Identity Free license lack this visibility. This deficiency leaves organizations susceptible to potential data misuse and undetected extraction attacks, thus hindering their ability to respond promptly and effectively since they can’t accurately assess the compromised data.
Or Aspir, head of the cloud security research team at Mitiga, explained to Dark Reading: “The free license, the default for new users added to your domain, doesn’t provide any logs of Google Drive activities from their private Drive.” Aspir continued, “This constitutes the crux of the issue, as without these logs, organizations are left in the dark about possible data downloads from users’ private Drives.”
Even when companies with Google Workspace enterprise licenses issue these to employees and thus benefit from the insight provided by logs, they may still be exposed to data theft. This risk arises when users transfer files from a shared enterprise drive to their personal Google Drive, which lacks the same protection, Aspir warns.
Aspir elaborated, “If users can access shared company drives, they can transfer files to their private Drive… The company will then be left without any logs of the user downloading the transferred files from their private Drive.”
Research Outlines Potential Exploitation of Google Drive Weakness
In their post, the researchers outlined two primary scenarios where this invisibility becomes a significant issue. One such situation is where a user’s account is breached by a malicious actor, who could gain administrative access or simply access the report.
An attacker who compromises an admin account could revoke the user’s license, download all private files, and then reassign the license,” the researchers elucidated in their post. In this instance, the only logs generated would pertain to license revocation and reassignment, falling under Admin Log Events.
Moreover, the researchers pointed out that an attacker who gains access to a non-paid license user utilizing the organization’s private drive could download all the drive’s files without leaving a trace.
The second likely threat scenario unfolds during employee offboarding. A potential risk arises when a departing employee has their license revoked before their Google account is deactivated. The employee or any user without a paid license could download internal files from their private drive or Google Workspace undetected due to absent logging. This opens up possibilities for insider threats or accidental data exposure to external attackers. Researchers warned that users could still download files to a private Google Workspace without any log record.
“Whether a paid license is in place or not, users can access shared drives as viewers,” they stated. “A user or threat actor could copy all files from the shared drive to their private drive and then download them.”
How Can Businesses Respond?
Mitiga contacted Google regarding this vulnerability, but the researchers mentioned that they have yet to receive a response. They noted that Google’s security team generally doesn’t consider forensics deficiencies a security issue.
This highlights a broader concern for organizations using software-as-a-service (SaaS) and cloud providers. As Aspir pointed out, these organizations rely entirely on these services for what forensic data they can access. In the context of SaaS and cloud providers, it becomes a shared responsibility model. Additional safeguards can only be added to what the providers offer.
For instance, businesses are completely dependent on what Google Workspace provides. In Aspir’s view, this should include “all logs required for businesses to ascertain if something detrimental occurred, and to pinpoint what exactly happened.”
Fortunately, organizations using Google Workspace can adopt measures to prevent the vulnerability described by Mitiga from being exploited. For example, they monitor certain actions through their Admin Log Events feature, such as license assignment and revocation events.
“If these events occur in rapid succession, it could indicate that an attacker is revoking and reassigning licenses within your environment,” they suggested in the post. “Therefore, we recommend regular threat hunting in Google Workspace that includes monitoring for this activity.”
Adding “source_copy” events to threat hunts could help identify situations where an employee or threat actor copies files from the shared drive to a private drive and downloads them.
In summary, organizations “need to realize that a user with a free license can download or copy data from the organization’s private Google Drive with no log of the activity,” Aspir warned. “Exercise caution with users within the enterprise who do not have a paid license.”
