Keywords: Google workspace, sharing, security vulnerability
Abstract: The increasing demand for remote work and virtual interactions
in recent years has led to significant upswing in the use of business collaboration platforms (BCPs), with Google Workspace as a
prominent example. These platforms not only amplify the capabilities of existing business solutions such as Google Docs, Slides, and
Calendar to enhance collaboration for team-based work, but also integrate feature-rich third-party applications (named add-ons) to
cater to various use cases. However, such integration of multiple
users and entities has inadvertently introduced new and complex
attack surfaces, elevating security and privacy risks in resource
management to unprecedented levels.
In this study, we conduct a systematic study on the effectiveness
of the cross-entity resource management in Google Workspace, the
most popular BCP. We unveil the access control enforcement in real-
world BCPs for the first time. Based on it, we formulate the attack
surfaces inherent in BCPs and conduct a comprehensive assessment.
Our study identifies three distinct types of vulnerabilities, which
further give rise to three types of attacks. Upon scrutinizing a
dataset of all 4,732 add-ons available in the marketplace, we make
the alarming discovery that an overwhelming 70% of these add-ons
are potentially vulnerable to at least one of these newly identified
attacks. To address these critical vulnerabilities, we conclude by
offering a set of robust countermeasures designed to substantially
fortify the security landscape of BCPs. This study serves as both
a wake-up call for immediate remedial action and a foundational
work for future research in the field.
Track: Security
Submission Guidelines Scope: Yes
Submission Guidelines Blind: Yes
Submission Guidelines Format: Yes
Submission Guidelines Limit: Yes
Submission Guidelines Authorship: Yes
Student Author: Yes
Submission Number: 2359
Loading