Your employees' private Google account put you at risk
Updated: Dec 3, 2019
I’ve mentioned the importance of identifying the weakest links in your security architecture. Every security architecture has a weakness that must be identified and addressed before you end up with a massive security breach that is hard to explain. Huge and respectable enterprises with solid security organizations have experienced embarrassing breaches originating from their weakest links.
Today I’ll highlight one of the weakest links that is not getting enough attention - your employees’ personal Google accounts. Google and Gmail are so widely used for personal purposes that I can hardly find any contacts in my address book that don’t have Gmail as their personal email. Another highly popular Google product is Chrome which has reached 70% market share.
Google Chrome has a built in password manager - every time you log into a website it offers to keep your log in credentials to that website. Because it’s so convenient, most users accept and allow Chrome to keep their website credentials. Google Chrome stores these credentials in the cloud as part of your Google account. These credentials are then available in any Chrome browser on any device as long as you log into the Chrome browser at least once with your Google account.
So for example, if you have Google Chrome on your mobile device and you log into various websites, the Google password manager will keep these credentials in your Google Account in the cloud. If you then open Google Chrome on a desktop and log into Google Chrome, the Google password manager would be able to automatically log you in to all these websites.
The risk is that if someone manages to takeover your employee's Google account, they can immediately log into all the websites the user stored in Chrome. This could include social media sites, bank accounts (including corporate bank accounts), development platforms, project management websites, marketing services, and cloud services of all kinds and forms.
If the attacker has compromised the user’s private Google account they can do much more than just log on behalf of the user. They could use this service - https://passwords.google.com/ - to get all the passwords the user has ever used on any website.
Now, do you have a way of knowing that your employees personal Google accounts have been compromised? Do you have a way of understanding which services are now at risk once an employee google account is breached? If you can’t see how this could lead to a massive data breach in the organization, similar to the ones mentioned above, then contact me and I’ll connect the dots for you.
How can a Google account be compromised? This is a topic for another discussion which I intend to cover soon. But here is just one simple way - the user logs into a Google account using Chrome from a device they don’t own. Anyone with access to that device can then use the Chrome password manager to access all the credentials the user has ever used on any of their devices.
This type of risk is not limited to Google. The Apple iCloud Keychain introduces similar risks, which I may cover in a future blog.
The key takeaway here is that enterprise security must follow a disciplined, risk-based approach to find and address the weaknesses in an organization’s IT landscape. The sooner this is implemented, the sooner we can find and address the inevitable weak links in our security architecture.