Web
application security specialists reported that Google
made a serious security error when securing the passwords of some of its business
clients because, for nearly 14 years, the company stored them in plain text by
accident.
The incident impacts only users of G
Suite, service that provides multiple Google products with a custom
domain name for enterprise clients. This flaw would have been caused by an
error in the implementation of a feature to manually configure and retrieve
passwords.
G Suite service managers had access to a
console from which they could set up accounts for new employees in their
company; subsequently, the passwords were secured (process known as hashing)
before being stored by Google.
According to web application security experts, hashing is an irreversible unilateral operation performed by Google. When a user provides their password, the information is analyzed and compared to the company’s stored data; if there is a match, the password is valid and the user gets access to the service.
Recently, Google recognized that an unsecured
copy of the password was stored in the company’s systems by carelessness. “We
can ensure that, despite this inconvenience, confidential information was kept
in an encrypted protected infrastructure and there is no evidence of
unauthorized access”, says Google’s engineering team.
In addition to this incident, Google revealed a
second error occurred in the early 2019, when more unencrypted passwords were
discovered stored in the company’s systems. On this occasion, the confidential
information was “exposed” for at least two consecutive weeks;
Google’s security teams ensure that both incidents have been fixed.
According to web application security specialists
from the International Institute of Cyber Security (IICS), the next step for
Google is to alert the affected G Suite service administrators in both incidents
to reset the passwords if it’s necessary.
In case of not locating affected G Suite users,
Google could automatically reset these exposed passwords.
