SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Worried it professional chaotic unapproved cloud apps security risk
#
Cloud Security
#
CASB
#
IAM

Google Workspace isn’t built to handle shadow SaaS

Thu, 2nd Oct 2025
By Dakshitaa Babu, Security Researcher, SquareX

Employees increasingly adopt SaaS applications outside official IT channels. This "shadow IT" leads to compliance exposure, weakens visibility, and increases the chance of sensitive data being shared with unvetted vendors.

Acting as an identity provider (IdP) for countless SaaS apps, Google Workspace enables users to authenticate via Google with ease. While OAuth makes integration seamless, it also creates a blind spot: apps can request overly broad permissions, and employees often approve them without understanding the impact. This opens a pathway for attackers who exploit OAuth consent grants to access corporate data.

Google Workspace offers three categories for app management - Configured Apps, Accessed Apps, and Apps Under Review. Each can help security teams, but each also comes with practical limitations. 

Configured Apps cover the applications in Google's official Workspace Marketplace. Administrators can allow, block, or restrict these apps at an organizational-unit level. More importantly, they can limit OAuth scopes - for instance, enabling ChatGPT for employees while blocking access to Drive.

This is useful for controlling high-profile integrations, but it only works on the ~5,000 Marketplace apps Google curates. Any SaaS platform that supports Google OAuth but isn't in this catalogue won't appear here. In practice, this means Configured Apps is more of a "policy enforcement tool for known vendors" than a comprehensive SaaS management solution.

Accessed Apps is where unauthorized SaaS use becomes visible. It lists the third-party applications employees have already signed into with Google credentials. Admins typically see only the registered service name, OAuth scopes requested, Client ID. The vendor information, app URLs, or ownership details are not directly listed. For example, you might see "AI Marketer" in the console, but no way to know who owns it or what it does. Google auto-resolves about 60–70% of Client IDs, but the rest require manual lookups, which quickly becomes unsustainable in larger environments.

The real risk comes from scope requests. Even lightweight apps can ask for high-risk permissions such as full Gmail or Drive access, for example. Since unconfigured apps can't have their scopes restricted, administrators face an all-or-nothing decision. For attackers running consent-phishing campaigns, a single user approval can give persistent access to corporate data.

The Apps Under Review function, available in Google Workspace for Education, requires admin approval before under-18 users can authorize new apps. It's an effective pre-authorization gate that stops risky apps at the point of entry. Enterprises would benefit from a similar capability, especially for high-risk groups like finance, legal, or R&D. But for now, this safeguard is unavailable outside education tenants, leaving businesses with little native support for pre-emptively screening apps. If you need pre-authorization workflows, you'll have to implement them with third-party tools or internal processes.

Even with these tools, admins encounter operational constraints such as OAuth events appearing minutes after authorization, giving attackers a head start, identifying apps requiring external lookups and trial-and-error. In practice, this means enterprises often discover risky SaaS use too late, only after access has already been granted.

Google Workspace provides a framework for managing SaaS access, but its controls are reactive, incomplete, and burdened with manual overhead. To close these gaps, organizations are increasingly turning to browser detection and response (BDR) solutions, such as SquareX. These solutions operate at the browser level, giving security teams real-time insights and controls:

  • Immediate visibility into OAuth consent events
  • Application identification with names, vendors, and URLs - not just Client IDs
  • Cross-IdP monitoring beyond Google Workspace
  • Fine-grained permission control, blocking specific risky scopes
  • User-facing warnings when an app requests excessive permissions

This adds the missing operational layer: instead of chasing down logs after the fact, admins can detect, investigate, and block SaaS risks as they happen.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Precision Group unites IT & ESG for SGP+S Level 3
Safe AI coaches staff to cut cyber attack errors
AI reshapes cyber threats as experts warn on automation
Tenable hack of Copilot AI agent exposes fraud risks
Exclusive: Media.com helps verify users amidst Australia’s U16 social media ban

Top stories

SonicWall rolls out AI chat & tools for self-service
Enterprises pivot to risk-aware, human-centric AI in 2026
Cyber leaders warn resilience gap as boards eye 2026
AI bubble cools as HR shifts to outcomes & new roles
Keeper links identity security alerts into ServiceNow