Security researchers have uncovered a new design flaw in the Google Workspace Domain-Wide Delegation feature.
Named “DeleFriend” by Hunters’ Team Axon, the vulnerability could potentially expose Google Workspace to unauthorized access and privilege escalation in its APIs.
According to an advisory published by the team on Tuesday, exploiting this flaw could lead to the unauthorized access of emails in Gmail, extraction of data from Google Drive and other illicit activities within Google Workspace APIs across all identities in the targeted domain.
DeleFriend permits potential attackers to manipulate established delegations in both Google Cloud Platform (GCP) and Google Workspace. Notably, this manipulation can occur without the high-privilege Super Admin role in Workspace, typically necessary for creating new delegations.
Instead, by having lower-privileged access to a targeted GCP project, attackers can generate multiple JSON web tokens (JWTs) incorporating various OAuth scopes. The objective is to identify successful combinations of private key pairs and authorized OAuth scopes, signaling the activation of domain-wide delegation for the service account.
Team Axon’s research paper also introduced a proof-of-concept tool to evaluate security risks within Google Workspace and GCP environments in relation to this flaw.
“These types of vulnerabilities underscore why having independent visibility into SaaS Data Access is critical,” commented Tim Davis, vice president of solution consulting at DoControl.
“No SaaS platform will ever have perfect security, and this only reiterates the need for having tools in place to recognize, alert, and even automatically remediate when data in a SaaS platform is being accessed via previously unseen or abnormal means, whether by users, APIs, or 3rd party applications.”
Key recommendations outlined in the Hunters blog post include smart role management, limiting OAuth scopes, implementing detection engineering and maintaining a continuous examination of security postures.
The responsible disclosure timeline reveals that the vulnerability was reported to Google on August 7 2023, initially categorized as an “Abuse Risk,” and accepted on October 31 2023. Despite being disclosed, the flaw persists as of the latest update.
“Google is currently reviewing the vulnerability, but in the meantime, security teams using Google Workspace should audit their permissions and be sure that the GCP permissions are locked down to only accounts that need the access,” explained Adam Neel, cyber-research unit detection engineer at Critical Start.
“This permission is commonly given through the ‘Editor’ role, but custom roles could have it as well. To exploit this vulnerability, attackers must have initial access to a GCP IAM user. Without direct access to an account, attackers will be unable to exploit this vulnerability.”