Cybersecurity researchers have detailed a “extreme design flaw” in Google Workspace’s domain-wide delegation (DWD) function that may very well be exploited by menace actors to facilitate privilege escalation and acquire unauthorized entry to Workspace APIs with out tremendous admin privileges.
“Such exploitation may end in theft of emails from Gmail, information exfiltration from Google Drive, or different unauthorized actions inside Google Workspace APIs on the entire identities within the goal area,” cybersecurity agency Hunters mentioned in a technical report shared with The Hacker Information.
The design weak spot – which stays lively to this date – has been codenamed DeleFriend for its capacity to control present delegations within the Google Cloud Platform (GCP) and Google Workspace with out possessing tremendous admin privileges.
Area-wide delegation, per Google, is a “highly effective function” that enables third-party and inside apps to entry customers’ information throughout a corporation’s Google Workspace setting.
The vulnerability is rooted in the truth that a site delegation configuration is set by the service account useful resource identifier (OAuth ID), and never the precise personal keys related to the service account identification object.
Because of this, potential menace actors with much less privileged entry to a goal GCP challenge may “create quite a few JSON net tokens (JWTs) composed of various OAuth scopes, aiming to pinpoint profitable combos of personal key pairs and approved OAuth scopes which point out that the service account has domain-wide delegation enabled.”
To place it in a different way, an IAM identification that has entry to create new personal keys to a related GCP service account useful resource that has present domain-wide delegation permission might be leveraged to create a recent personal key, which can be utilized to carry out API calls to Google Workspace on behalf of different identities within the area.
Profitable exploitation of the flaw may permit exfiltration of delicate information from Google providers like Gmail, Drive, Calendar, and others. Hunters has additionally made out there a proof-of-concept (PoC) that may be utilized to detect DWD misconfigurations.
“The potential penalties of malicious actors misusing domain-wide delegation are extreme,” Hunters security researcher Yonatan Khanashvili mentioned. “As a substitute of affecting only a single identification, as with particular person OAuth consent, exploiting DWD with present delegation can influence each identification throughout the Workspace area.
