top | item 41083697

(no title)

nurtbo | 1 year ago

So these attackers could gain access to any account with email with a domain not currently registered to a Google Workspace? This seems like a huge breach of trust. (Especially given that it gave access to outside of Google accounts).

Is there a best practice around confirming adding social login to a pre-existing account? (Like entering current password or email confirmation?)

From the article:

> In the case of the reader who shared the breach notice from Google, the imposters used the authentication bypass to associate his domain with a Workspace account. And that domain was tied to his login at several third-party services online. Indeed, the alert this reader received from Google said the unauthorized Workspace account appears to have been used to sign in to his account at Dropbox

discuss

AnotherGoodName|1 year ago

From what’s stated they could create a new account but not gain access to an existing account. So they create “totally_the_admin@bigco.com” and then login via google elsewhere and try to use that as a way to gain further access to bigco accounts, presumably by some manual support.

unknown|1 year ago

[deleted]