Google Workspace apparently has an obvious flaw that could lead to cyberattacks

Researchers are saying hackers could steal Gmail data

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurity researchers from Hunters said they discovered a “severe design flaw” in a powerfulGoogleWorkspace feature.

Google, however, downplayed the findings, saying there are no underlying issues and that it’s just a matter of each company protecting itsendpointswith the tools at its disposal.

As reported byThe Hacker News, researchers discovered a flaw in the domain-wide delegation (DWD) feature, which hackers can allegedly exploit to escalate privileges and gain access to Workspace APIs without super admin privileges.

Reader Offer: $50 Amazon gift card with demoPerimeter 81’s Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?)

No underlying issues, says Google

Domain-wide delegation allows third-party apps, as well as internal apps, to access user data in a Google Workspace environment. The researchers said the feature is flawed because domain delegation configuration is determined by the service account resource identifier (OAuth ID), instead of private keys associated with the service account identity object.

“Such exploitation could result in theft of emails from Gmail, data exfiltration from Google Drive, or other unauthorized actions within Google Workspace APIs on all of the identities in the target domain,” the researchers said. The vulnerability was dubbed DeleFriend.

This would allow threat actors with low privileges to “create numerous JSON web tokens (JWTs) composed of different OAuth scopes, aiming to pinpoint successful combinations of private key pairs and authorized OAuth scopes which indicate that the service account has domain-wide delegation enabled.”

Consequently, threat actors could steal data from Gmail, Google Drive, and others. The researchers also created a proof-of-concept (PoC) to showcase how the flaw can be abused.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“The potential consequences of malicious actors misusing domain-wide delegation are severe,” Hunters security researcher Yonatan Khanashvili said. “Instead of affecting just a single identity, as with individual OAuth consent, exploiting DWD with existing delegation can impact every identity within the Workspace domain.

But Google is having none of it. “This report does not identify an underlying security issue in our products,” it told the publication. “As a best practice, we encourage users to make sure all accounts have the least amount of privilege possible (see guidancehere). Doing so is key to combating these types of attacks.”

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics