Google Workspace apparently has an obvious flaw that could lead to cyberattacks

Google Workspace
(Image credit: Google)

Cybersecurity researchers from Hunters said they discovered a “severe design flaw” in a powerful Google Workspace feature.

Google, however, downplayed the findings, saying there are no underlying issues and that it’s just a matter of each company protecting its endpoints with the tools at its disposal.

As reported by The Hacker News, researchers discovered a flaw in the domain-wide delegation (DWD) feature, which hackers can allegedly exploit to escalate privileges and gain access to Workspace APIs without super admin privileges. 


Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

No underlying issues, says Google

Domain-wide delegation allows third-party apps, as well as internal apps, to access user data in a Google Workspace environment. The researchers said the feature is flawed because domain delegation configuration is determined by the service account resource identifier (OAuth ID), instead of private keys associated with the service account identity object.

"Such exploitation could result in theft of emails from Gmail, data exfiltration from Google Drive, or other unauthorized actions within Google Workspace APIs on all of the identities in the target domain," the researchers said. The vulnerability was dubbed DeleFriend. 

This would allow threat actors with low privileges to "create numerous JSON web tokens (JWTs) composed of different OAuth scopes, aiming to pinpoint successful combinations of private key pairs and authorized OAuth scopes which indicate that the service account has domain-wide delegation enabled."

Consequently, threat actors could steal data from Gmail, Google Drive, and others. The researchers also created a proof-of-concept (PoC) to showcase how the flaw can be abused. 

"The potential consequences of malicious actors misusing domain-wide delegation are severe," Hunters security researcher Yonatan Khanashvili said. "Instead of affecting just a single identity, as with individual OAuth consent, exploiting DWD with existing delegation can impact every identity within the Workspace domain.

But Google is having none of it. “This report does not identify an underlying security issue in our products,” it told the publication. “As a best practice, we encourage users to make sure all accounts have the least amount of privilege possible (see guidance here). Doing so is key to combating these types of attacks.” 

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.