Cybersecurity researchers at Hunters said they discovered a “serious design flaw” in a powerful Google Workspace feature.
However, Google downplayed the findings, saying there are no underlying issues and that it’s simply a matter of each company protecting its endpoints with the tools at its disposal.
As reported by The hacker newsresearchers discovered a flaw in the domain-wide delegation (DWD) feature, which hackers could exploit to escalate privileges and gain access to Workspace APIs without super admin rights.
No underlying problems, Google says
Domain-wide delegation gives third-party apps, as well as internal apps, access to user data in a Google Workspace environment. The researchers say the feature is flawed because domain delegation configuration is determined by the service account resource ID (OAuth ID), rather than private keys associated with the service account identity object.
“Such exploitation could result in theft of emails from Gmail, data exfiltration from Google Drive, or other unauthorized actions within Google Workspace APIs on all identities in the target domain,” the researchers said. The vulnerability was named DeleFriend.
This would allow low-privilege threat actors to create “numerous JSON web tokens (JWTs) composed of different OAuth scopes, with the goal of locating successful combinations of private key pairs and authorized OAuth scopes that indicate domain-wide security for the service account delegation is enabled.”
Consequently, threat actors can steal data from Gmail, Google Drive, and others. The researchers also created a proof-of-concept (PoC) to show how the flaw can be exploited.
“The potential consequences of malicious actors abusing domain-wide delegation are serious,” said Hunters security researcher Yonatan Khanashvili. “Rather than impacting just one identity, as with individual OAuth permission, exploiting DWD with existing delegation can impact any identity within the Workspace domain.
But Google is having none of it. “This report does not identify any underlying security issue in our products,” the report said. “As a best practice, we encourage users to ensure that all accounts have as few permissions as possible (see guidelines here). This is the key to combating these types of attacks.”