Threat Analysis

Security Vulnerability in Google Drive Allowed Hackers to Extract Data

Morgan Phisher February 3, 2024

Hey there Bay Area techies! I’ve just learned about some pretty serious concerns involving our beloved Google Drive, and I thought it would be worth sharing with you all, especially those of us who work in the cybersecurity and healthcare fields. So here’s the scoop.

You know how Google Drive is like a super-popular digital playground in the cloud, right? It’s a bit like our Dolores Park on a sunny Saturday, frequented by countless folks from all walks of life – and unfortunately, just like in any crowded place, some unwelcome guests can show up. Some folks with malintent are targeting this cloud-based storage platform, and the stakes are big: they’re about data theft.

The research team from Mitiga have been investigating this, trying to figure out how these bad actors are sneaking in and smuggling out precious data from Google Workspace, not leaving a trace. Kind of feels like an episode of CSI: Cyber, doesn’t it?

Now, Google tries to keep their digital park clean and safe by using “Drive log events” – a way to track and monitor actions in a company’s Google Drive resources. It’s like having an excellent neighborhood watch. Even when you share something with people outside your organization, Google logs it all.

Here’s the catch though – this service is only available to those holding a paid license. It’s like a VIP lounge inside the digital Dolores Park that only paying folk can get into. Everyone else gets the basic access with their default “Cloud Identity Free” license – a bit like being able to enjoy the park, but without the added security of the VIP area.

Now, two main issues can crop up due to this. Firstly, if one of these no-gooders manages to hack into an admin user’s account, they can wreak all kinds of havoc, controlling important actions, and no one would be the wiser. Or worse, they can sneak into an account that doesn’t have a paid license but still has access to your company’s private Drive.

Secondly, let’s imagine an employee decides to leave your company. Before you’ve even cut their farewell cake, their license might have already been revoked, but their account isn’t disabled. This can be super tricky, because without a heads-up, they could download files directly from their private Drive. And you guessed it – no trace left behind!

Mitiga’s cybersecurity sleuths have noted all this down and reached out to Google, but we’re still waiting on an official word from them. In the meantime, though, they recommend keeping an eye on all events revolving around the assignment and revoking of licenses in your “Admin Log Events”. Also, keep conducting regular sweeps of Google Workspace to spot any suspicious doings. Try to spot files being copied from a shared drive to a private one by monitoring the “source_copy” events.

And hey, remember, we’re all in this fight for cybersecurity together. As each of us does our part to keep our corner of the digital world secure, we all benefit. Let’s keep sharing knowledge and taking care of each other in this incredible, yet challenging, digital landscape.

by Morgan Phisher | HEAL Security