Cybersecurity researchers have detailed a “extreme design flaw” in Google Workspace’s domain-wide delegation (DWD) characteristic that may very well be exploited by risk actors to facilitate privilege escalation and procure unauthorized entry to Workspace APIs with out tremendous admin privileges.
“Such exploitation might lead to theft of emails from Gmail, knowledge exfiltration from Google Drive, or different unauthorized actions inside Google Workspace APIs on the entire identities within the goal area,” cybersecurity agency Hunters stated in a technical report shared with The Hacker Information.
The design weak point – which stays lively to this date – has been codenamed DeleFriend for its potential to control current delegations within the Google Cloud Platform (GCP) and Google Workspace with out possessing tremendous admin privileges.
Area-wide delegation, per Google, is a “highly effective characteristic” that permits third-party and inside apps to entry customers’ knowledge throughout a company’s Google Workspace surroundings.
The vulnerability is rooted in the truth that a website delegation configuration is decided by the service account useful resource identifier (OAuth ID), and never the precise non-public keys related to the service account id object.
Because of this, potential risk actors with much less privileged entry to a goal GCP mission might “create quite a few JSON net tokens (JWTs) composed of various OAuth scopes, aiming to pinpoint profitable combos of personal key pairs and licensed OAuth scopes which point out that the service account has domain-wide delegation enabled.”
To place it otherwise, an IAM id that has entry to create new non-public keys to a related GCP service account useful resource that has current domain-wide delegation permission may be leveraged to create a contemporary non-public key, which can be utilized to carry out API calls to Google Workspace on behalf of different identities within the area.
Profitable exploitation of the flaw might permit exfiltration of delicate knowledge from Google companies like Gmail, Drive, Calendar, and others. Hunters has additionally made out there a proof-of-concept (PoC) that may be utilized to detect DWD misconfigurations.
“The potential penalties of malicious actors misusing domain-wide delegation are extreme,” Hunters safety researcher Yonatan Khanashvili stated. “As an alternative of affecting only a single id, as with particular person OAuth consent, exploiting DWD with current delegation can affect each id inside the Workspace area.