Design Flaw in Google Workspace Could Let Attackers Gain Unauthorized Access

Nov 28, 2023NewsroomData Security / Data Breach

Cybersecurity researchers have detailed a “severe design flaw” in Google Workspace’s domain-wide delegation (DWD) feature that could be exploited by threat actors to facilitate privilege escalation and obtain unauthorized access to Workspace APIs without super admin privileges.

“Such exploitation could result in theft of emails from Gmail, data exfiltration from Google Drive, or other unauthorized actions within Google Workspace APIs on all of the identities in the target domain,” cybersecurity firm Hunters said in a technical report shared with The Hacker News.

The design weakness – which remains active to this date – has been codenamed DeleFriend for its ability to manipulate existing delegations in the Google Cloud Platform (GCP) and Google Workspace without possessing super admin privileges.

Domain-wide delegation, per Google, is a “powerful feature” that allows third-party and internal apps to access users’ data across an organization’s Google Workspace environment.

Cybersecurity

The vulnerability is rooted in the fact that a domain delegation configuration is determined by the service account resource identifier (OAuth ID), and not the specific private keys associated with the service account identity object.

As a result, potential threat actors with less privileged access to a target GCP project could “create numerous JSON web tokens (JWTs) composed of different OAuth scopes, aiming to pinpoint successful combinations of private key pairs and authorized OAuth scopes which indicate that the service account has domain-wide delegation enabled.”

Google Workspace

To put it differently, an IAM identity that has access to create new private keys to a relevant GCP service account resource that has existing domain-wide delegation permission can be leveraged to create a fresh private key, which can be used to perform API calls to Google Workspace on behalf of other identities in the domain.

Successful exploitation of the flaw could allow exfiltration of sensitive data from Google services like Gmail, Drive, Calendar, and others. Hunters has also made available a proof-of-concept (PoC) that can be utilized to detect DWD misconfigurations.

“The potential consequences of malicious actors misusing domain-wide delegation are severe,” Hunters security researcher Yonatan Khanashvili said. “Instead of affecting just a single identity, as with individual OAuth consent, exploiting DWD with existing delegation can impact every identity within the Workspace domain.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Cyber Security

Articles You May Like

Adobe Introduces Generative AI Assistant That Can Summarise PDFs for Acrobat and Reader
FTC Slams Avast with $16.5 Million Fine for Selling Users’ Browsing Data
Intel Signs Microsoft as Foundry Customer; Says Firm on Track to Overtake Biggest Rival TSMC
Dormant PyPI Package Compromised to Spread Nova Sentinel Malware
Instagram Creator Marketplace Expands to India; Meta Tests AI-Powered Creator Recommendations

Leave a Reply

Your email address will not be published. Required fields are marked *