A design flaw in Google Workspace’s domain-wide delegation feature has been discovered by threat hunting experts from Hunters’ Team Axon. This flaw can be exploited by attackers to misuse existing delegations and gain unauthorized access to Workspace APIs without Super Admin privileges. The potential consequences of such exploitation include theft of emails from Gmail, data exfiltration from Google Drive, and other unauthorized actions within Google Workspace APIs. Hunters has responsibly disclosed this flaw to Google and worked closely with them before publishing their research.
Domain-wide delegation allows for comprehensive delegation between Google Cloud Platform (GCP) identity objects and Google Workspace applications. It enables GCP identities to perform tasks on Google SaaS applications on behalf of other Workspace users.
The design flaw, dubbed “DeleFriend” by Hunters, allows attackers to manipulate existing delegations without needing Super Admin privileges. By creating numerous JSON web tokens (JWTs) with different OAuth scopes, attackers can identify successful combinations of private key pairs and authorized OAuth scopes, indicating that the service account has domain-wide delegation enabled. The flaw lies in the fact that the domain delegation configuration is determined by the service account resource identifier, not the specific private keys associated with the service account identity object.
The lack of restrictions for fuzzing JWT combinations on the API level makes it easy for attackers to enumerate numerous options and take over existing delegations. This flaw is particularly risky due to its potential impact on all identities within the Workspace domain.
The consequences of exploiting domain-wide delegation can vary based on the OAuth scopes of the delegation. Attackers can potentially steal emails from Gmail, exfiltrate data from the drive, or monitor meetings from Google Calendar.
To execute this attack, a specific GCP permission is needed on the target Service Accounts. However, organizations that don’t maintain a strong security posture in their GCP resources may be vulnerable. By following best practices, managing permissions and resources smartly, organizations can minimize the impact of this attack technique.
Hunters has developed a proof-of-concept tool to assist organizations in detecting misconfigurations related to domain-wide delegation. This tool allows red teams, pen testers, and security researchers to simulate attacks and identify vulnerable attack paths in their GCP Projects. By using this tool, organizations can evaluate and improve the security risk and posture of their Workspace and GCP environments.
Hunters’ Team Axon has compiled comprehensive research that provides an in-depth understanding of the vulnerability, detection techniques, and best practices for countering domain-wide delegation attacks. They have responsibly reported this flaw to Google and are collaborating with Google’s security and product teams to explore mitigation strategies.
In conclusion, the design flaw in Google Workspace’s domain-wide delegation feature discovered by Hunters’ Team Axon poses a significant risk of unauthorized access and privilege escalation. Organizations should take steps to detect misconfigurations and follow best practices to minimize the impact of this flaw.
Key Points:
1. A design flaw in Google Workspace’s domain-wide delegation feature allows for unauthorized access to Workspace APIs without Super Admin privileges.
2. Attackers can manipulate existing delegations and potentially steal emails, exfiltrate data, or perform unauthorized actions within Google Workspace APIs.
3. The flaw lies in the domain delegation configuration, which is determined by the service account resource identifier.
4. Organizations can minimize the impact of this flaw by following best practices and managing permissions and resources smartly.
5. Hunters has developed a proof-of-concept tool to assist in detecting misconfigurations and has provided comprehensive research on detection techniques and best practices for countering domain-wide delegation attacks.