Cybersecurity researchers from Hunters recently discovered a vulnerability in Google Workspace that allows unauthorized access to Workspace APIs. This flaw is particularly concerning because it can lead to privilege escalation, enabling attackers to gain access typically reserved for Super Admin users. The researchers have named this security flaw “DeleFriend.”
The vulnerability is related to Google Workspace’s role in managing user identities across Google Cloud services. Attackers can exploit domain-wide delegation (DWD) to create new delegations or enumerate successful combinations of service account keys and OAuth scopes. One of the main concerns with this vulnerability is that GCP service account keys do not have expiry dates by default, making it a long-term and difficult-to-detect issue.
If attackers gain access with Super Admin privileges, they can potentially access emails in Gmail, view schedules in Google Calendar, and exfiltrate data from Google Drive. The scope of this vulnerability is significant as it can impact every identity within the Workspace domain, unlike individual OAuth consent.
Hunters disclosed this flaw to Google in August 2023, and Google is currently reviewing the issue with their Product team. Google responded by stating that the report did not identify an underlying security issue in their products and encouraged users to minimize privilege levels to protect against such attacks.
To defend against the DeleFriend vulnerability, Hunters recommends limiting OAuth scopes in delegations, avoiding administrative scopes, and focusing on detecting suspicious delegations and multiple private key creations. Google suggests checking domain-wide delegation usage, reviewing service account setups, and ensuring least privileges for API scopes granted to service accounts.
Hunters has developed a proof-of-concept tool to manually run the DeleFriend exploitation method for research purposes to detect misconfigurations and increase awareness around OAuth delegation attacks.
Overall, this vulnerability in Google Workspace is significant and poses serious risks, but with the right precautions and measures in place, organizations can mitigate the potential impact.