Google Drive Deficiency Allows Attackers to Exfiltrate Workspace Data Without a Trace

No activity logging in the free subscription for Googles Web-based productivity suite exposes enterprises to insider and other threats, researchers say.

A lack of event logging in the free-subscription version of
Google Workspace
can allow attackers to download data from Google Drive without leaving behind a trace of their illicit activity.
Researchers on a team from Mitiga discovered what they call a key forensic security deficiency in the popular hosted productivity app, which arises due to the lack of log generation for users who dont have a paid enterprise license for Workspace. In a
Mitiga blog post
published May 30, the team noted that the situation leaves enterprises open to
insider threats
and other potential data leaks.
Though users with a paid license, such as Google Workspace Enterprise Plus, enjoy the benefit of visibility into Google Drive activity through drive log events — which record actions such as copying, deleting, downloading, and viewing files — those with a default Cloud Identity Free license dont, the researchers said. This makes organizations blind to potential data manipulation and exfiltration attacks, limiting how quickly and effectively organizations can respond. Thats because they have little to no chance to correctly assess what data has been stolen — or if any data has been stolen at all.
In Google specifically, the free license is the default when a new user is added to your domain, meaning you wont receive any logs on Google Drive activity from their private Drive, Or Aspir, cloud security research team leader at Mitiga, tells Dark Reading. This is the main problem because without those logs, you are blind to users potentially downloading the data on their private Drive.
To boot, though enterprises that use Google Workspace across their corporate employees may issue enterprise licenses — and thus have the visibility that logging provides — they can still be at risk for data theft if users download files from a shared enterprise drive to their personal Google Drive, which wont be protected, Aspir says.
If users have permissions to access some shared company drives, they can copy the files from the shared Drive to their private Drive … and the company will not receive any logs of the user downloading the copied files from their private drive, he explains.
There are two key scenarios in which this lack of visibility presents a problem, the researchers outlined in their post. The first is if a users account is compromised by a threat actor, either by becoming an admin or merely by gaining access to that account, they wrote.
A threat actor who gains access to an admin user can revoke the user’s license, download all their private files, and reassign the license, they explained in the post. In this case, the only log records that would be generated are the activity of revoking and assigning a license, under the Admin Log Events, the researchers said.
Meanwhile, a threat actor who gains access to a user without a paid license but still uses the organizations private drive can download all the drive’s files without leaving any trace, the researchers said.
The second threat scenario would be most likely to occur during employee offboarding, when a corporate user is leaving the company and thus having their license removed before actually disabling/removing the employee as a Google user, the researchers said.
The employee (or any user who isnt assigned a paid license) also can potentially download internal files from his or her private drive or private Google Workspace without any notice due to the lack of logging, posing an
insider threat
or potentially exposing that data to an outside attacker, they added. A user who still uses a companys private drive also can download drives to a private Google Workspace without any log record, the researchers said.
Either way, without a paid license, users can still have access to shared drive as viewers, they explained in the post. A user or a threat actor can copy all the files from the shared drive to their private drive and download them.
Mitiga reached out to Google about the issue, but the researchers said they have not yet received a response, adding that Googles security team typically doesnt recognize forensics deficiencies as a security problem.
This highlights a concern when working with software-as-a-service (SaaS) and cloud providers, in that organizations that use their services are solely dependent on them regarding what forensic data you can have, Aspir notes. When it comes to SaaS and cloud providers, we’re talking about a shared responsibility regarding security because you cant add additional safeguards within what is given.
For example, an organization is entirely dependent on what Google Workspace provides, Aspir says. In his opinion, that info should be all logs needed in order for enterprises to understand if something bad happened, and what exactly happened.
Fortunately, there are steps that organizations using Google Workspace can take to ensure that the issue outlined by Mitiga isnt exploited, the researchers said. This includes keeping an eye out for certain actions in their Admin Log Events feature, such as events about license assignments and revocations, they said.
If these events are happening in quick succession, it could suggest that a threat actor is revoking and reassigning licenses in your environment, they wrote in the post. As a result, we suggest conducting regular threat hunts in
Google Workspace
that include searching for this activity.
Organizations also can add source_copy events in threat hunts to catch a case in which an employee or a threat actor copies files from the shared drive to a private drive and downloads them from there, the researchers said.
Overall, organizations need to understand that if there is a user with a free license, that user can download or copy data from the organizations private Google Drive and there will be no log of the activity, Aspir says. Be very careful of users inside of the enterprise who do not have a paid license.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Google Drive Deficiency Allows Attackers to Exfiltrate Workspace Data Without a Trace