A previously unknown security issue in Google LLC’s Workspace could allow an attacker to exfiltrate data from Google Drive without being traced.

Detailed Tuesday by researchers at Mitiga Security Inc., the vulnerability is the result of a forensic deficiency that allows a user to exfiltrate data without generating any record of the activity. The security issue relates explicitly to actions carried out by users who don’t have a paid enterprise license for Google Workspace.

The researchers explain that by default, all Google Drive users start with a “Cloud Identity Free” license and unless an administrator assigns a paid license, no logs are recorded for actions taken within a user’s private drive. The lack of visibility makes it possible for threat actors to manipulate or steal data without detection.

The security vulnerability can be exploited in two ways. The first is that if a user’s account is compromised, a threat actor can manipulate the user’s license to access and download private files while leaving behind only logs of license revocation and reassignment.

The second involves targeting employees during the process of revoking a paid license. If it’s revoked before the account is disabled, the account can potentially download sensitive files from a private drive unnoticed.

Undertaking responsible disclosure, the Mitiga researchers reached out to Google before going public with their findings but have yet to receive a response. The researchers recommend regular monitoring of Admin Log Events in Google Workspace, especially focusing on license assignment and revocation actions, as sudden changes could indicate a potential threat. If these actions occur in quick succession, it may suggest a threat actor is manipulating licenses.

“Mitiga’s discovery of ‘forensic security deficiency’ in Google Workspace reinforces, yet again, the ongoing issue of data security in software-as-a-service applications,” Corey O’Connor, director of products at software-as-a-service security company DoControl Inc., told SiliconANGLE. “Applications like Google Drive and Workspace are Tier0 apps – many organizations lack the necessary controls to prevent unauthorized access to critical data.”

O’Connor noted that the lack of security controls combined with the no event logging leaves Google Workplace users open and exposed with virtually no visibility into who or what can access data. “It is unrealistic to think that organizations can actively monitor logs and forensic data enough to catch malicious actors in their systems,” O’Connor said. “Unless an organization has dedicated tooling and policies in place to address such SaaS data security gaps, they are susceptible to this ‘forensic deficiency.'”

Image: Google