In August [2] [7], cybersecurity company Hunters’ Team Axon discovered a vulnerability in Google Workspace and the Google Cloud Platform (GCP) known as “DeleFriend.” This flaw poses a serious risk to the security of Gmail, Google Drive [1] [2] [3] [6] [7] [8] [10] [11], and other services within the Workspace domain [11].
Description
The vulnerability, named “DeleFriend,” allows threat actors to manipulate existing delegations without needing super admin privileges [6] [11]. It is found in the design of domain delegation configurations, specifically in how the OAuth ID determines the delegation rather than the private keys associated with the service account identity object [11].
Threat actors with limited access to a target GCP project can exploit this weakness by creating numerous JSON web tokens (JWTs) with different OAuth scopes [11]. By identifying successful combinations of private key pairs and authorized OAuth scopes indicating domain-wide delegation [4] [9] [11], they can execute API calls to Google Workspace on behalf of other identities in the domain [11]. This unauthorized access can potentially lead to the exfiltration of sensitive data.
Hunters [1] [3] [4] [5] [6] [9] [10] [11], the cybersecurity firm [4] [11], discovered this design flaw and emphasizes the severe consequences of malicious actors exploiting domain-wide delegation [11]. They have released a proof-of-concept (PoC) to showcase the exploit’s potential and highlight the urgency of addressing this critical security loophole in Google Workspace [11].
To address this issue, Hunters has developed a PoC tool to detect misconfigurations and reduce the exploitation risks [6] [9] [10]. They have also provided comprehensive research on the vulnerability and recommendations for threat hunting and best practices [9] [10]. Despite being known to Google [5], the flaw remains unresolved [3]. Therefore, it is crucial for businesses to prioritize data security by implementing strong security measures [5], regularly updating software [5], and conducting vulnerability assessments [5].
Conclusion
The “DeleFriend” vulnerability in Google Workspace and the Google Cloud Platform poses a significant security risk. Hunters’ discovery of this flaw highlights the urgent need to address this critical security loophole. To mitigate the threat [2], businesses should implement strong security measures, regularly update software [5], and conduct vulnerability assessments [5]. Additionally, Hunters has developed a PoC tool to detect misconfigurations and reduce exploitation risks [6] [9] [10]. It is essential for organizations to take immediate action to protect their data and prevent threat actors from establishing long-term backdoors.
References
[1] https://cyber.vumetric.com/security-news/2023/11/28/design-flaw-leaves-google-workspace-vulnerable-for-takeover/
[2] https://www.scmagazine.com/news/google-cloud-environment-flaw-lets-attackers-access-critical-data-systems
[3] https://www.darkreading.com/cloud-security/vendor-claims-design-flaw-in-google-workspace-is-putting-organizations-at-risk
[4] https://thehackernews.com/2023/11/design-flaw-in-google-workspace-could.html
[5] https://isp.page/news/design-flaw-in-google-workspace-could-let-attackers-gain-unauthorized-access-2/
[6] https://www.nextbigfuture.com/2023/11/design-flaw-in-domain-wide-delegation-could-leave-google-workspace-vulnerable-for-takeover-says-cybersecurity-company-hunters.html
[7] https://www.hunters.security/en/blog/delefriend-a-newly-discovered-design-flaw-in-domain-wide-delegation-could-leave-google-workspace-vulnerable-for-takeover
[8] https://www.hackread.com/design-flaw-domain-delegation-google-vulnerability/
[9] https://techstartups.com/2023/11/28/design-flaw-in-domain-wide-delegation-could-leave-google-workspace-vulnerable-for-takeover-says-cybersecurity-company-hunters/
[10] https://cybersecuritynews.com/design-flaw-in-domain-wide-delegation/
[11] https://sensorstechforum.com/delefriend-google-workspace-design-flaw/
