November 28, 2023 at 10:12AM
Google is disputing a security vendor’s report on a design weakness in Google Workspace that allegedly exposes users to data theft and other security issues. According to Hunters Security, a flaw in Google Workspace’s domain-wide delegation feature allows attackers to steal email, exfiltrate data, and perform unauthorized actions. Google denies that the report identifies a security issue and recommends minimizing account privileges to combat such attacks. Hunters Security has provided proof-of-concept code on GitHub to demonstrate the vulnerability, which they refer to as “DeleFriend.” They have informed Google of the issue, but it remains unresolved.
Meeting Notes Summary:
Google is disputing a security vendor’s report about a design weakness in Google Workspace, called “DeleFriend,” that could lead to data theft and security issues. The alleged flaw in Google Workspace’s domain-wide delegation feature allows attackers to steal email, exfiltrate data, and carry out unauthorized actions. Google rejects the characterization of the issue as a design flaw and emphasizes the importance of minimizing account privileges. Researchers at Hunters Security released proof-of-concept code on GitHub to demonstrate the potential exploitation of the issue. The vulnerability enables attackers to manipulate delegations in Google Cloud Platform and Google Workspace without requiring Super Admin privileges. By searching for service accounts with domain-wide delegations enabled, attackers can escalate privileges and carry out various malicious activities. The root cause of the issue lies in the configuration of domain delegation and the absence of restrictions on combinations of JSON Web Tokens at the API level. Google is aware of the issue but has not yet resolved it.