A lack of event logging in the free-subscription version of Google Workspace can allow attackers to download data from Google Drive without leaving behind a trace of their illicit activity.
Researchers on a team from Mitiga discovered what they call a key “forensic security deficiency” in the popular hosted productivity app, which arises due to the lack of log generation for users who don’t have a paid enterprise license for Workspace. In a Mitiga blog post published May 30, the team noted that the situation leaves enterprises open to insider threats and other potential data leaks.
Though users with a paid license, such as Google Workspace Enterprise Plus, enjoy the benefit of visibility into Google Drive activity through “drive log events” — which record actions such as copying, deleting, downloading, and viewing files — those with a default Cloud Identity Free license don’t, the researchers said. This makes organizations blind to potential data manipulation and exfiltration attacks, limiting how quickly and effectively organizations can respond. That’s because they have little to no chance to correctly assess what data has been stolen — or if any data has been stolen at all.
“In Google specifically, the free license is the default when a new user is added to your domain, meaning you won’t receive any logs on Google Drive activity from their private Drive,” Or Aspir, cloud security research team leader at Mitiga, tells Dark Reading. “This is the main problem because without those logs, you are blind to users potentially downloading the data on their private Drive.”
To boot, though enterprises that use Google Workspace across their corporate employees may issue enterprise licenses — and thus have the visibility that logging provides — they can still be at risk for data theft if users download files from a shared enterprise drive to their personal Google Drive, which won’t be protected, Aspir says.
“If users have permissions to access some shared company drives, they can copy the files from the shared Drive to their private Drive … and the company will not receive any logs of the user downloading the copied files from their private drive,” he explains.
How Attackers Can Exploit the Google Drive Deficiency
There are two key scenarios in which this lack of visibility presents a problem, the researchers outlined in their post. The first is if a user’s account is compromised by a threat actor, either by becoming an admin or merely by gaining access to that account, they wrote.
“A threat actor who gains access to an admin user can revoke the user’s license, download all their private files, and reassign the license,” they explained in the post. In this case, the only log records that would be generated are the activity of revoking and assigning a license, under the Admin Log Events, the researchers said.
Meanwhile, a threat actor who gains access to a user without a paid license but still uses the organization’s private drive can download all the drive’s files without leaving any trace, the researchers said.
The second threat scenario would be most likely to occur during employee offboarding, when a corporate user is leaving the company and thus having their license removed before actually disabling/removing the employee as a Google user, the researchers said.
The employee (or any user who isn’t assigned a paid license) also can potentially download internal files from his or her private drive or private Google Workspace without any notice due to the lack of logging, posing an insider threat or potentially exposing that data to an outside attacker, they added. A user who still uses a company’s private drive also can download drives to a private Google Workspace without any log record, the researchers said.
“Either way, without a paid license, users can still have access to shared drive as viewers,” they explained in the post. “A user or a threat actor can copy all the files from the shared drive to their private drive and download them.”
How Enterprises Can Respond
Mitiga reached out to Google about the issue, but the researchers said they have not yet received a response, adding that Google’s security team typically doesn’t recognize forensics deficiencies as a security problem.
This highlights a concern when working with software-as-a-service (SaaS) and cloud providers, in that organizations that use their services “are solely dependent on them regarding what forensic data you can have,” Aspir notes. “When it comes to SaaS and cloud providers, we’re talking about a shared responsibility regarding security because you can’t add additional safeguards within what is given.”
For example, an organization is entirely dependent on what Google Workspace provides, Aspir says. In his opinion, that info should be “all logs needed in order for enterprises to understand if something bad happened, and what exactly happened.”
Fortunately, there are steps that organizations using Google Workspace can take to ensure that the issue outlined by Mitiga isn’t exploited, the researchers said. This includes keeping an eye out for certain actions in their Admin Log Events feature, such as events about license assignments and revocations, they said.
“If these events are happening in quick succession, it could suggest that a threat actor is revoking and reassigning licenses in your environment,” they wrote in the post. “As a result, we suggest conducting regular threat hunts in Google Workspace that include searching for this activity.
Organizations also can add “source_copy” events in threat hunts to catch a case in which an employee or a threat actor copies files from the shared drive to a private drive and downloads them from there, the researchers said.
Overall, organizations “need to understand that if there is a user with a free license, that user can download or copy data from the organization’s private Google Drive and there will be no log of the activity,” Aspir says. “Be very careful of users inside of the enterprise who do not have a paid license.”
