Cybersecurity researchers from Hunters said they discovered a “severe design flaw” in a powerful Google Workspace feature.
Google, however, downplayed the findings, saying there are no underlying issues and that it’s just a matter of each company protecting its endpoints with the tools at its disposal.
As reported by The Hacker News, researchers discovered a flaw in the domain-wide delegation (DWD) feature, which hackers can allegedly exploit to escalate privileges and gain access to Workspace APIs without super admin privileges.
No underlying issues, says Google
Domain-wide delegation allows third-party apps, as well as internal apps, to access user data in a Google Workspace environment. The researchers said the feature is flawed because domain delegation configuration is determined by the service account resource identifier (OAuth ID), instead of private keys associated with the service account identity object.
“Such exploitation could result in theft of emails from Gmail, data exfiltration from Google Drive, or other unauthorized actions within Google Workspace APIs on all of the identities in the target domain,” the researchers said. The vulnerability was dubbed DeleFriend.
This would allow threat actors with low privileges to “create numerous JSON web tokens (JWTs) composed of different OAuth scopes, aiming to pinpoint successful combinations of private key pairs and authorized OAuth scopes which indicate that the service account has domain-wide delegation enabled.”
Consequently, threat actors could steal data from Gmail, Google Drive, and others. The researchers also created a proof-of-concept (PoC) to showcase how the flaw can be abused.
“The potential consequences of malicious actors misusing domain-wide delegation are severe,” Hunters security researcher Yonatan Khanashvili said. “Instead of affecting just a single identity, as with individual OAuth consent, exploiting DWD with existing delegation can impact every identity within the Workspace domain.
But Google is having none of it. “This report does not identify an underlying security issue in our products,” it told the publication. “As a best practice, we encourage users to make sure all accounts have the least amount of privilege possible (see guidance here). Doing so is key to combating these types of attacks.”