Comment by dpedu
1 year ago
> Because these non-Gmail Google accounts aren’t actually a member of the Google organization, they won’t show up in any administrator settings, or user Google lists.
That's why. This bug allows an attacker to retain access to various accounts attached to an already-compromised company or employee of the company. Not only that, but the retention is completely invisible to the account administrators.
Needing the same level of access that an employee has in order to utilize it doesn't make it less valuable. There are plenty of valuable bugs that can only be utilized from specific positions. Consider how many hacks have happened because an employee's devices or accounts were compromised, rather than some server system that no one individual owns. The recent Okta hack happened that way.
The rogue accounts would show up in the administrative settings in the third-party apps, and they would stick out like a sore thumb because they'd have weird email addresses. So they're not completely invisible, albeit not visible from one central place.
> Needing the same level of access that an employee has in order to utilize it doesn't make it less valuable.
The only way that would be true is if compromising an employee account has no cost, which is obviously not the case. Thus, attackers would prefer to purchase a vulnerability that doesn't require also compromising an employee account.
I trust tptacek is correct that Zerodium wouldn't even pay $133.70 for this: https://news.ycombinator.com/item?id=38722395