Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Google Workspace apparently has an obvious flaw that could lead to cyberattacks

Google Workspace.

Cybersecurity researchers from Hunters said they discovered a “severe design flaw” in a powerful Google Workspace feature.

Google, however, downplayed the findings, saying there are no underlying issues and that it’s just a matter of each company protecting its endpoints with the tools at its disposal.

As reported by The Hacker News, researchers discovered a flaw in the domain-wide delegation (DWD) feature, which hackers can allegedly exploit to escalate privileges and gain access to Workspace APIs without super admin privileges. 


No underlying issues, says Google

Domain-wide delegation allows third-party apps, as well as internal apps, to access user data in a Google Workspace environment. The researchers said the feature is flawed because domain delegation configuration is determined by the service account resource identifier (OAuth ID), instead of private keys associated with the service account identity object.

"Such exploitation could result in theft of emails from Gmail, data exfiltration from Google Drive, or other unauthorized actions within Google Workspace APIs on all of the identities in the target domain," the researchers said. The vulnerability was dubbed DeleFriend. 

This would allow threat actors with low privileges to "create numerous JSON web tokens (JWTs) composed of different OAuth scopes, aiming to pinpoint successful combinations of private key pairs and authorized OAuth scopes which indicate that the service account has domain-wide delegation enabled."

Consequently, threat actors could steal data from Gmail, Google Drive, and others. The researchers also created a proof-of-concept (PoC) to showcase how the flaw can be abused. 

"The potential consequences of malicious actors misusing domain-wide delegation are severe," Hunters security researcher Yonatan Khanashvili said. "Instead of affecting just a single identity, as with individual OAuth consent, exploiting DWD with existing delegation can impact every identity within the Workspace domain.

But Google is having none of it. “This report does not identify an underlying security issue in our products,” it told the publication. “As a best practice, we encourage users to make sure all accounts have the least amount of privilege possible (see guidance here). Doing so is key to combating these types of attacks.” 

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.