Cybersecurity researchers have detailed a “extreme design flaw” in Google Workspace’s domain-wide delegation (DWD) function that might be exploited by menace actors to facilitate privilege escalation and procure unauthorized entry to Workspace APIs with out tremendous admin privileges.
“Such exploitation may lead to theft of emails from Gmail, knowledge exfiltration from Google Drive, or different unauthorized actions inside Google Workspace APIs on the entire identities within the goal area,” cybersecurity agency Hunters mentioned in a technical report shared with The Hacker Information.
The design weak spot – which stays energetic to this date – has been codenamed DeleFriend for its capacity to control present delegations within the Google Cloud Platform (GCP) and Google Workspace with out possessing tremendous admin privileges.
Area-wide delegation, per Google, is a “highly effective function” that enables third-party and inner apps to entry customers’ knowledge throughout a corporation’s Google Workspace setting.
The vulnerability is rooted in the truth that a site delegation configuration is decided by the service account useful resource identifier (OAuth ID), and never the particular personal keys related to the service account id object.
Consequently, potential menace actors with much less privileged entry to a goal GCP venture may “create quite a few JSON internet tokens (JWTs) composed of various OAuth scopes, aiming to pinpoint profitable combos of personal key pairs and licensed OAuth scopes which point out that the service account has domain-wide delegation enabled.”
To place it otherwise, an IAM id that has entry to create new personal keys to a related GCP service account useful resource that has present domain-wide delegation permission will be leveraged to create a contemporary personal key, which can be utilized to carry out API calls to Google Workspace on behalf of different identities within the area.
Profitable exploitation of the flaw may enable exfiltration of delicate knowledge from Google providers like Gmail, Drive, Calendar, and others. Hunters has additionally made out there a proof-of-concept (PoC) that may be utilized to detect DWD misconfigurations.
“The potential penalties of malicious actors misusing domain-wide delegation are extreme,” Hunters safety researcher Yonatan Khanashvili mentioned. “As an alternative of affecting only a single id, as with particular person OAuth consent, exploiting DWD with present delegation can impression each id throughout the Workspace area.
