A Design Flaw in Google Workspace Puts Organizations at Risk: Uncovering “Delefriend”
In a recent discovery by cybersecurity firm Hunters’ Team Axon, a critical design flaw has been unearthed in Google Workspace’s domain-wide delegation (DWD) feature. Named “DeleFriend” by the researchers, this vulnerability poses a serious threat, allowing potential attackers to exploit existing delegations, leading to privilege escalation and unauthorized access to Workspace APIs.
The Anatomy of DeleFriend
Domain-wide delegation facilitates comprehensive delegation between Google Cloud Platform (GCP) identity objects and Google Workspace applications. This means that GCP identities can perform tasks on behalf of other Workspace users across various Google SaaS applications. However, the flaw identified by Hunters’ Team Axon allows attackers to manipulate existing delegations without requiring the high-privilege Super Admin role on Workspace, which is typically necessary for creating new delegations.
The flaw lies in the fact that the domain delegation configuration is determined by the service account resource identifier (OAuth ID), rather than the specific private keys associated with the service account identity object. This oversight, coupled with the absence of restrictions on JWT combinations at the API level, opens the door for attackers to enumerate numerous options, potentially leading to the takeover of existing delegations.
Amplifying the Risk
Several factors amplify the risk associated with this design flaw:
- Long Life of Service Account Keys: GCP service account keys are created without an expiry date by default, providing an opportunity for attackers to establish backdoors with long-term persistence.
- Ease of Concealment: The creation of new service account keys or delegation rules within the API authorization page can be easily concealed amidst legitimate entries, making detection challenging.
- Lack of Awareness: IT and security departments may not be fully aware of the domain-wide delegation feature and its potential for malicious abuse.
- Difficulty in Detection: Delegated API calls are logged with the victim’s details, making it difficult to identify malicious activities.
Potential Consequences
“The potential consequences of malicious actors misusing domain-wide delegation are severe,” warns Yonatan Khanashvili of Hunters’ Team Axon. The impact extends beyond a single identity, potentially affecting every identity within the Workspace domain.
The range of actions that could be taken by exploiting this flaw varies based on the OAuth scopes of the delegation, including email theft from Gmail, data exfiltration from Google Drive, or monitoring meetings from Google Calendar.
Mitigation and Detection
To mitigate the risk associated with DeleFriend, Hunters recommends adhering to best practices, managing permissions and resources smartly, and maintaining a robust security posture in GCP resources. Reach out to us at PivIT Strategy to learn about implementing these safeguards. The team has also developed a proof-of-concept tool to assist organizations in detecting DWD misconfigurations, increasing awareness, and reducing the exploitation risks associated with DeleFriend.
Hunters’ Responsible Disclosure and Collaboration with Google
Hunters responsibly disclosed DeleFriend to Google as part of Google’s “Bug Hunters” program in August. The cybersecurity firm is collaborating closely with Google’s security and product teams to explore appropriate mitigation strategies. As of the publication date, Google has yet to resolve the identified design flaw.
Conclusion
The discovery of DeleFriend highlights the importance of robust security measures and vigilant threat hunting practices, particularly in cloud-based collaboration platforms like Google Workspace. Organizations are urged to review the full research provided by Hunters’ Team Axon and out to experts like us at PivIT Strategy to stay protected.
