Google Workspace bug allows untraceable data theft from Drive files

San Francisco, Jun 5 (IANS): Cybersecurity researchers have discovered a significant forensic security deficiency in Google Workspace that enables a hacker to exfiltrate data in Google Drive without any trace.

According to researchers from Mitiga Security, once a malicious user inside has accessed the organisation's Google Drive, they can take action without being recorded at all.

This flaw affects only users who do not have a paid enterprise licence for Google Workspace.

Users who do not have a paid Google Workspace licence have their private drive actions left undocumented.

Hackers can disable logging and recording by cancelling their paid licence and switching to the free "Cloud Identity Free" licence.

This enables threat actors to exfiltrate files without leaving any trace, save for the indication that a paid licence was revoked, which is visible to administrators.

"A threat actor who gains access to an admin user can revoke the user's license, download all their private files, and reassign the license," the researchers said.

The experts also notified Google of its findings, who is yet to respond.

Meanwhile, hackers are targeting iPhones with previously unknown malware, via iMessage to, gain complete control over the iOS device and spy on users.

Cybersecurity company Kaspersky discovered the mobile Advanced Persistent Threat (APT) campaign targeting iOS devices with previously unknown malware.

Dubbed as 'Operation Triangulation', the ongoing campaign distributes zero-click exploits via iMessage to run malware gaining complete control over the device and user data, with the final goal to "hiddenly spy on users".



Top Stories

Leave a Comment

Title: Google Workspace bug allows untraceable data theft from Drive files

You have 2000 characters left.


Please write your correct name and email address. Kindly do not post any personal, abusive, defamatory, infringing, obscene, indecent, discriminatory or unlawful or similar comments. will not be responsible for any defamatory message posted under this article.

Please note that sending false messages to insult, defame, intimidate, mislead or deceive people or to intentionally cause public disorder is punishable under law. It is obligatory on Daijiworld to provide the IP address and other details of senders of such comments, to the authority concerned upon request.

Hence, sending offensive comments using daijiworld will be purely at your own risk, and in no way will be held responsible.