In a recent report, Bitdefender, a Romanian cybersecurity firm, exposed a series of innovative attack strategies that could potentially be used against Google Workspace and the Google Cloud Platform. These strategies could be exploited by cybercriminals to launch ransomware, data theft, and password recovery attacks.
Martin Zugec, the technical solutions director at Bitdefender, explained that these attacks could evolve in several ways from a single compromised machine. The attackers could spread to other cloned machines with Google Credential Provider for Windows (GCPW) installed, gain access to the cloud platform with custom permissions, or decrypt locally stored passwords to expand their attack beyond the Google ecosystem.
However, these attacks require the attacker to have already gained access to a local machine through other means. As such, Google has stated that the bug is not eligible for fixing as it falls outside their threat model and aligns with Chrome’s practices of storing local data.
The attacks fundamentally depend on an organization’s use of Google Credential Provider for Windows (GCPW). GCPW provides both mobile device management (MDM) and single sign-on (SSO) capabilities, allowing administrators to remotely manage Windows devices within their Google Workspace environments and users to access their Windows devices using the same credentials as their Google accounts.
GCPW operates using a local privileged service account named Google Accounts and ID Administration (GAIA) which connects to Google APIs to verify a user’s credentials during the sign-in step and stores a refresh token to eliminate the need for re-authentication.
With this GCPW setup, an attacker with access to a compromised machine can extract an account’s refresh OAuth tokens from either the Windows registry or the user’s Chrome profile directory, effectively bypassing multi-factor authentication (MFA) protections. The attacker can then use the refresh token to construct an HTTP POST request to obtain an access token, which can be misused to access, alter, or delete sensitive data linked to the Google Account.
Another exploit, referred to as the Golden Image lateral movement, targets virtual machine (VM) deployments. This method capitalizes on the fact that cloning a machine with pre-installed GCPW also clones the password associated with the GAIA account. Knowing the password to a local account, and having all local accounts share the same password, essentially gives the attacker access to all machines.
A third attack involves gaining access to plaintext credentials by using the access token obtained through the previous technique to send an HTTP GET request to an undocumented API endpoint and acquire the private RSA key needed to decrypt the password field.
Having access to plaintext credentials, such as usernames and passwords, allows attackers to impersonate legitimate users directly and gain unrestricted access to their accounts, potentially leading to a complete account takeover.