November 28, 2023 at 08:06AM
A design flaw in Google Workspace’s domain-wide delegation (DWD) feature poses a serious security risk, allowing threat actors to gain unauthorized access to Workspace APIs. The flaw, called DeleFriend, can be exploited by manipulating existing delegations in Google Cloud Platform and Workspace. It enables theft of emails, data exfiltration, and unauthorized actions within Google Workspace APIs. A proof-of-concept has been provided to detect misconfigurations.
Key Takeaways from the Meeting Notes:
1. There is a severe design flaw in Google Workspace’s domain-wide delegation (DWD) feature that can lead to privilege escalation and unauthorized access to Workspace APIs without super admin privileges.
2. The design weakness, named DeleFriend, allows threat actors to manipulate existing delegations in the Google Cloud Platform and Google Workspace without having super admin privileges.
3. Domain-wide delegation is a powerful feature that enables third-party and internal apps to access users’ data across an organization’s Google Workspace environment.
4. The vulnerability lies in the fact that the domain delegation configuration is determined by the service account’s resource identifier (OAuth ID), rather than the specific private keys associated with the service account identity object.
5. Potential threat actors with limited access to a target GCP project can create JSON web tokens (JWTs) to identify successful combinations of private key pairs and authorized OAuth scopes for domain-wide delegation.
6. Successful exploitation of this flaw can result in the theft of emails, data exfiltration, and unauthorized actions within Google Workspace APIs for all identities in a target domain.
7. Hunters, a cybersecurity firm, has released a proof-of-concept (PoC) to detect DWD misconfigurations.
8. The potential consequences of malicious misuse of domain-wide delegation are significant, as it can impact every identity within the Workspace domain.
Note: For more exclusive content, follow us on Twitter and LinkedIn.