Earlier this week, Google wrote in its Cloud blog that a zero-day vulnerability had been identified and fix. The issue, which dates back to Gmail Suite’s 2005, would store plain-text passwords on a server that could have been easily targeted by hackers.
Why would Google store plain-text passwords?
In or around 2005, Google released an admin feature for the Gmail Suite. This would have made users’ passwords visible to administrators.
When the user creates a password, this string contained alpha-numerical characters is stored on a secured server in a hashed version.
To Google, our passwords look like gibberish – as it should be, since the user alone should know the password. So, in order to regain access to your account, the only way to do it would be to request a password reset link.
Another way would be to tap into your Microsoft account, input the master password, and click on the “password button” for the website you want to access. We wouldn’t recommend storing passwords locally since the system can easily be exploited.
As for the G-Suite zero-day vulnerability, according to Microsoft’s blog posts, no information leaks were recorded, despite the issue going the radar for the past 14 years.
What needs to be done?
Though Google made ample assurances that the security net was in place all the time and no info leaked, it still urges its users to change passwords and to update the G-Suite to the latest version if necessary.
Furthermore, according to the blog post, despite the vulnerability, the unhashed passwords were never at risk since they were stored in a secure location.
What that means, we are uncertain since Google refused to elaborate on what safeguards were in place. As for the bug, the issue has seemingly been fixed, users’ passwords now being stored in hashed version.
From what we understood; the issue stemmed from the 2005 G-Suite version. More specifically, when Google first introduced this feature, it came with an enterprise version that allowed Gmail admins to manage user accounts.
For instance, if you were the owner of the business venture, this G-Suite feature allowed you to see passwords and other G-Mail related activities.
Since modern GDPR standards would view this as a major privacy breach, no such service deployment has been made for the past couple of years.
And yet, out of the blue, Google announced a major vulnerability after more than a decade. How did this go unnoticed? We don’t know for certain, but the ramifications could have been vast if Google failed to patch this bug.
Where does this leave us? As always, the best course of actions to take would be to follow Google’s recommendation. Of course, changing your password might prevent any future entanglements, but what about the past?
Is there any way to know for certain that no one exploited this vulnerability? Unfortunately, we can’t be sure of anything at the moment. So, change your passes and download a pass management tool like LastPass.
What are your thoughts on Google’s bug fix? Hit the comments section and let us know.