Design Issue in Domain-Wide Delegation Could Make Google Workspace Vulnerable to Takeover

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
Delefriend Vulnerability on Google WorkSpace

Threat-hunting professionals at Hunters’ Team Axon have found a severe design issue in Google Workspace’s domain-wide delegation capability. This weakness might enable attackers to abuse current delegations, enabling privilege escalation and unauthorized access to Workspace APIs without Super Admin abilities.

November 28, 2023, in Tel Aviv, Israel, and Boston, Massachusetts, threat-hunting professionals at Hunters’ Team Axon found a serious design flaw with Google Workspace’s domain-wide delegation capability.

This weakness might enable attackers to abuse present delegations, allowing privilege escalation and unauthorized access to Workspace APIs without Super Admin privileges.

Attacks of this type can potentially compromise every identity inside the target domain, granting unauthorized access to their Gmail correspondence, data taken from Google Drive, and other Google Workspace API-related actions. Hunters approached Google responsibly, and before making their finds public, they worked closely with them.

Complete access delegation between Google Cloud Platform (GCP) identity objects and Google Workspace apps is made possible through delegation across domains.

Stated differently, it enables GCP identities to perform actions for other Workspace users in Google SaaS applications, including Drive, Calendar, Gmail, and more. Attackers can alter current delegations on Google Cloud Platform and Google Workspace even if they lack the high-privilege Super Admin status on Workspace, which is required to establish new delegations, according to a design flaw that the Hunters team has dubbed “DeleFriend.”

Upon being contacted for comment, Google refuted the claim that the issue was a design defect. “There is no underlying security issue in our products identified by this report” then stated. We advise users to ensure that all accounts have the fewest privileges feasible as a best practice. Combating these kinds of attacks requires doing this.

Google describes domain-wide delegation as a “powerful feature” that allows internal and external apps to access user data within a Google Workspace environment inside an organization.

There is a vulnerability because a domain delegation configuration is based on the service account resource identifier (OAuth ID) rather than the unique private keys connected to the service account identity object.

Therefore, to “identify successful combinations of private key pairs and authorized OAuth scopes which indicate that the service account has domain-wide delegation enabled” potential threat actors with less privileged access to a target GCP project could create numerous JSON web tokens (JWTs) composed of different OAuth scopes.”

A domain-wide delegation permission-holding GCP service account resource can be accessed by an IAM identity with the ability to generate new private keys. This allows the IAM identity to generate new keys that can be used to make API calls to Google Workspace on behalf of other domain identities.

Exfiltration of sensitive data from Google services, such as Gmail, Drive, Calendar, and others, may be possible if the vulnerability is exploited. The proof-of-concept (PoC) that Hunters has made public can additionally be utilized to find DWD misconfiguration.

Because of the consequences mentioned above, this issue presents a unique danger that is enhanced by the following:

Difficult for Identification:

The victim information will be documented in the associated GWS audit logs for delegated API requests since they are generated on behalf of the target identity. This makes figuring out these kinds of actions brutal.

Simple to Conceal:

It’s easy to conceal minor details like adding delegation rules to the API permission page or making new service account keys for existing IAMs. This happens because these websites typically contain several legitimate entries that must be thoroughly reviewed.

Extended Life: 

By default, GCP Service account keys are created without expiration. They are ideal for building backdoors and ensuring their lifespan because of this feature.

The Update

In recent research released on November 30, 2023, Palo Alto Networks Unit 42 said that it had identified the same issue with the Google Workspace domain-wide delegation capability and had communicated with Google since June 2023 over the “security risk.”

Security researcher Zohar Zigdon stated, “A GCP identity with the required permission can generate an access token to a delegated user.” “This access token can be used to impersonate Google Workspace users and grant unauthorized access to their data or to perform operations on their behalf by a malicious insider or an external attacker with stolen credentials.”

Follow the recommendations to safeguard against Domain-Wide Delegation attack methods at Hunters official post!

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.