Recent vulnerability findings have unveiled a significant design flaw within Google Workspace’s domain-wide delegation (DWD) feature. Cybersecurity researchers have reported that this flaw could enable malicious actors to escalate privileges and gain unauthorized access to Google Workspace APIs, bypassing super admin requirements. The analysis highlights the seriousness of this vulnerability, which poses risks such as the potential exfiltration of emails from Gmail or sensitive data from other Google services.
According to cybersecurity firm Hunters, the flaw—nicknamed DeleFriend—manipulates existing delegations in both the Google Cloud Platform (GCP) and Google Workspace, allowing individuals without super admin privileges to exploit this backdoor. This is troubling, as it facilitates unauthorized actions across all accounts within a targeted domain, increasing the broad impact of a single breach.
In a response to the findings, Google has rebuffed claims labeling the issue as a design flaw. The company maintains that the report does not point to a fundamental security weakness in its products and advises users to apply the principle of least privilege to mitigate potential risks effectively. They emphasize that ensuring minimal access rights is crucial in defending against such vulnerabilities.
Google describes domain-wide delegation as a “powerful feature” that allows various internal and third-party applications to access user data across an organization’s Google Workspace environment. However, this power necessitates stringent checks and balances, given the potential misuses highlighted by security researchers.
The fundamental issue lies in how domain delegation is configured. It depends on the service account’s resource identifier (OAuth ID) instead of relying on the specific private keys associated with that identity. Consequently, users with limited access could generate multiple JSON web tokens (JWTs) with different OAuth scopes, allowing them to discover successful combinations that exploit enabled delegations.
This exploitation opens a pathway for attackers to create new private keys tied to GCP service accounts equipped with existing delegation permissions. Such access could potentially allow them to conduct API calls to Google Workspace on behalf of any identity within the affected domain, merging several unauthorized actions under a single breach event.
The ramifications of this vulnerability extend to critical data stored across Google’s services, including Gmail, Google Drive, and Calendar. As Hunter’s research underscores, an exploited DWD can affect every identity within the domain rather than targeting individual accounts, amplifying the overall risk.
In light of these findings, it is clear that organizations utilizing Google Workspace should conduct thorough audits of their domain-wide delegation configurations and enforce stringent access controls. Palo Alto Networks Unit 42 has confirmed similar vulnerabilities in their own analysis and has been in discussions with Google regarding these risks since June 2023, emphasizing the potential for unauthorized access through compromised credentials.
