Researchers publicly disclosed a design flaw affecting Google Workspace that permits unauthorized entry. Whereas they responsibly disclosed the vulnerability to Google, the bug remained unpatched till public disclosure. The researchers urge the customers to implement security finest practices when utilizing Google Workspace’s Area-Extensive delegation characteristic.
DeleFriend Design Flaw Riddles Google Workspace Cloud
In a current put up, the cybersecurity agency Hunters elaborated on a extreme design flaw affecting the safety of Google Workspace customers. Exploiting the flaw lets an adversary to achieve unauthorized entry to Workspace APIs.
Recognized as “DeleFriend,” the vulnerability impacts the Area-Extensive Delegation (DWD) characteristic in Google Workspace. This characteristic permits a delegation between Google Workspace and apps and Google Cloud Platform identification objects, facilitating GCP identities to execute duties on apps like Google Calendar, Drive, and extra, with elevated privileges. That’s the place the vulnerability exists.
Briefly, the researchers noticed that potential adversaries might exploit the prevailing delegation between the Google Workspace and Google Cloud Platform even with out the necessary Tremendous Admin Workspace position. Stating how an attacker could execute the assault, the researchers defined in a press launch,
With much less privileged entry to a goal GCP undertaking, they’ll create quite a few JSON internet tokens (JWTs) composed of various OAuth scopes, aiming to pinpoint profitable mixtures of personal key pairs and approved OAuth scopes which point out that the service account has domain-wide delegation enabled.
Particularly, the vulnerability exists as a result of as an alternative of personal keys for a service account identification object, the OAuth ID determines the area delegation configuration. Furthermore, the shortage of JWT mixtures fuzzing on the API stage additionally doesn’t prohibit delegation takeover makes an attempt.
The researchers have defined the vulnerability intimately of their put up.
Patch Nonetheless Awaited
The researchers affirm disclosing the vulnerability to Google in August 2023. Nevertheless, till their public disclosure, the vulnerability remained unpatched. Hunters acknowledge that addressing a design flaw is tedious. Subsequently, till a repair arrives, the researchers advise customers to follow warning with the Area-Extensive delegation characteristic.
Apart from, they’ve additionally launched a DeleFriend PoC device for organizations to grasp the flaw higher with clear demonstrations.
Tell us your ideas within the feedback.