Google Workspace Design Flaw Allows Unauthorized Access

Researchers publicly disclosed a design flaw affecting Google Workspace that allows unauthorized access. While they responsibly disclosed the vulnerability to Google, the bug remained unpatched until public disclosure. The researchers urge the users to implement safety best practices when using Google Workspace’s Domain-Wide delegation feature.

DeleFriend Design Flaw Riddles Google Workspace Cloud

In a recent post, the cybersecurity firm Hunters elaborated on a severe design flaw affecting the security of Google Workspace users. Exploiting the flaw lets an adversary to gain unauthorized access to Workspace APIs.

Identified as “DeleFriend,” the vulnerability affects the Domain-Wide Delegation (DWD) feature in Google Workspace. This feature allows a delegation between Google Workspace and apps and Google Cloud Platform identity objects, facilitating GCP identities to execute tasks on apps like Google Calendar, Drive, and more, with elevated privileges. That’s where the vulnerability exists.

Briefly, the researchers observed that potential adversaries could exploit the existing delegation between the Google Workspace and Google Cloud Platform even without the mandatory Super Admin Workspace role. Stating how an attacker may execute the attack, the researchers explained in a press release,

With less privileged access to a target GCP project, they can create numerous JSON web tokens (JWTs) composed of different OAuth scopes, aiming to pinpoint successful combinations of private key pairs and authorized OAuth scopes which indicate that the service account has domain-wide delegation enabled.

Specifically, the vulnerability exists because instead of private keys for a service account identity object, the OAuth ID determines the domain delegation configuration. Moreover, the lack of JWT combinations fuzzing at the API level also doesn’t restrict delegation takeover attempts.

The researchers have explained the vulnerability in detail in their post.

Patch Still Awaited

The researchers confirm disclosing the vulnerability to Google in August 2023. However, until their public disclosure, the vulnerability remained unpatched. Hunters acknowledge that addressing a design flaw is tedious. Therefore, until a fix arrives, the researchers advise users to practice caution with the Domain-Wide delegation feature.

Besides, they have also released a DeleFriend PoC tool for organizations to understand the flaw better with clear demonstrations.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients