A critical design flaw in Google Workspace’s domain-wide delegation (DWD) feature was just discovered, presenting a potential avenue for threat actors to escalate privileges and gain unauthorized access to Workspace APIs.
Meet the DeleFriend Design Flaw in Google Cloud Platform
Dubbed “DeleFriend,” this Google flaw allows manipulation of existing delegations in the Google Cloud Platform (GCP) and Google Workspace without requiring super admin privileges, posing a serious threat to the security of Gmail, Google Drive, and other services within the Workspace domain.
The vulnerability lies in the design of domain delegation configurations, specifically in how the OAuth ID determines the delegation rather than the private keys associated with the service account identity object. Threat actors with limited access to a target GCP project could exploit this weakness by creating numerous JSON web tokens (JWTs) with different OAuth scopes, aiming to identify successful combinations of private key pairs and authorized OAuth scopes indicating domain-wide delegation.
In simpler terms, an identity with the ability to create new private keys for a relevant GCP service account resource, already possessing domain-wide delegation permission, can generate a fresh private key. This key can then be used to execute API calls to Google Workspace on behalf of other identities in the domain, potentially leading to the exfiltration of sensitive data from services like Gmail, Drive, Calendar, and more.
Hunters, the cybersecurity firm that discovered the design flaw, emphasizes the severe consequences of malicious actors exploiting domain-wide delegation, stating that it has the potential to impact every identity within the Workspace domain, as opposed to individual OAuth consent. To aid in detecting misconfigurations, Hunters has released a proof-of-concept (PoC) that showcases the exploit’s potential, pointing at the urgency of addressing this critical security loophole in Google Workspace.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: