Google Drive security flaw allows data to be stolen without trace
Cloud incident response company Mitiga has released research on a significant forensic security deficiency in Google Workspace that enables threat actors to exfiltrate data in Google Drive without any trace.
Data theft is one of the most common motives for attack, and with more than six million businesses using Google Workspace -- including Google Drive -- the cloud-based repository has been a prime target for data exfiltration.
If you have a paid license, Google Workspace provides visibility into a company's Google Drive resources using 'Drive log events', for actions such as copying, deleting, downloading, and viewing files. However, by default every Google Drive user starts by possessing a 'Cloud Identity Free' license.
To get more features an admin must assign a paid license, if this isn't done there are no log records of actions in the users' private drive. A threat actor who gains access to an admin user can revoke the user’s license, download all their private files, and reassign the license. But more concerning is that a threat actor who gains access to a user without a paid license, but who still uses the organization's private drive, can download files without leaving a record.
Mitiga has contacted Google's security team but hadn't, at time of writing, received a response. You can read more details of the flaw and how to guard against the threat on the Mitiga blog.
The Google Workspace team responded that it's, "Important to note that this theoretical construction by the vendor includes no specific evidence of actual user impact."
It goes on to point out that:
The types of organizations looking for the type of robust auditing referenced in this report, are generally already using Google Workspace enterprise licenses, which have extensive auditing capabilities.
Any Google Workspace or Edu Drive license includes access to the types of audit logs referenced here.
Cloud Identity Free is meant to only enable limited access to Drive for non-sensitive data, and is not designed for the types of organizations that generally need these options.
Google Workspace also offers administrators full control to configure infrastructure, applications, and system integrations in a single dashboard via our Admin Console—regardless of the size of the organization—simplifying administration and configuration.
Google Workspace audit logs help security teams maintain audit trails in Google Workspace and view detailed information about Admin activity, data access, and system events. Google Workspace admins can use the Admin Console to access these logs and can customize and export logs as required.
Users looking to add these advanced capabilities can sign up for Google Workspace Enterprise Essentials, which has a Starter Edition available that is free for up to 100 users.
On Drive specifically:
Cloud Identity Free is the default license for all GCP customers.
All Workspace licenses, including but not limited to Enterprise Plus, include audit logging for Google Drive.