Cybersecurity researchers have allegedly discovered a forensic security deficiency in Google Workspace which means that hackers can steal data from a private or shared Google Drive folder without any trace.
According to cloud and software-as-a-service security startup, Mitiga Security, once a malicious user has accessed a Google Drive account, they can exfiltrate data without being recorded at all.
Google Workspace includes Gmail, Drive, Sheets, Slides, Calendar, Meet and Chat. The Google Drive vulnerability affects only users who do not have a paid enterprise license for Workspace.
This means anyone with a free account may not be able to trace data theft from their Google Drive.
Of course, a threat actor would have to break into your Google account in the first place, in order to access your Drive.
For copying a file to and from Google Drive “source_copy” and “copy” log records are created automatically. And for for downloading a file, there is a “download” log record.
The forensic security deficiency described by Mitiga is a potential problem since only “source_copy” log records are made for free Workspace accounts.
So it would be almost impossible for a user without a paid Workspace license to figure out if any files have been stolen from their Drive.
This also poses a threat to organizations since hackers can disable logging and recording by cancelling a victim’s paid license and switching to the free “Cloud Identity Free” license. They can then steal Google Drive data without leaving a trace, and then reassign the license.
“A threat actor who gains access to an admin user can revoke the user’s license, download all their private files, and reassign the license,” the researchers explained.
The experts also notified Google of these findings, but are yet to receive a response.
