Cybersecurity researchers from Hunters stated they found a “extreme design flaw” in a strong Google Workspace characteristic.
Google, nevertheless, downplayed the findings, saying there are not any underlying points and that it’s only a matter of every firm defending its endpoints with the instruments at its disposal.
As reported by The Hacker Information, researchers found a flaw within the domain-wide delegation (DWD) characteristic, which hackers can allegedly exploit to escalate privileges and achieve entry to Workspace APIs with out tremendous admin privileges.
No underlying points, says Google
Area-wide delegation permits third-party apps, in addition to inside apps, to entry person information in a Google Workspace atmosphere. The researchers stated the characteristic is flawed as a result of area delegation configuration is decided by the service account useful resource identifier (OAuth ID), as an alternative of personal keys related to the service account identification object.
“Such exploitation may end in theft of emails from Gmail, information exfiltration from Google Drive, or different unauthorized actions inside Google Workspace APIs on the entire identities within the goal area,” the researchers stated. The vulnerability was dubbed DeleFriend.
This may enable menace actors with low privileges to “create quite a few JSON net tokens (JWTs) composed of various OAuth scopes, aiming to pinpoint profitable combos of personal key pairs and licensed OAuth scopes which point out that the service account has domain-wide delegation enabled.”
Consequently, menace actors may steal information from Gmail, Google Drive, and others. The researchers additionally created a proof-of-concept (PoC) to showcase how the flaw may be abused.
“The potential penalties of malicious actors misusing domain-wide delegation are extreme,” Hunters safety researcher Yonatan Khanashvili stated. “As an alternative of affecting only a single identification, as with particular person OAuth consent, exploiting DWD with present delegation can affect each identification throughout the Workspace area.
However Google is having none of it. “This report doesn’t establish an underlying safety concern in our merchandise,” it advised the publication. “As a greatest apply, we encourage customers to ensure all accounts have the least quantity of privilege potential (see steering right here). Doing so is essential to combating a lot of these assaults.”