iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Threat researchers have uncovered a design flaw in Google’s domain-wide delegation feature.
Researchers at security company Hunters have discovered a flaw in Google Workplaces that could lead to unauthorised privilege escalation, giving a potential threat actor access to emails and other data on a Google Drive.
The flaw exists in Workspace’s domain-wide delegation, which is what allows the Google Cloud Platform to interact with and create tasks in Gmail and Google Drive and the rest of Google’s SaaS applications in the name of other users in the Workspace.
While normally, a user would need a Super Admin role to create new delegations, the flaw lets a user create JSON web tokens made of different OAuth scopes. Using this flaw, an unauthorised user can look for private key pairs and authorised OAuth scope combinations that have enabled domain-wide delegation on that account.
“The root cause lies in the fact that the domain delegation configuration is determined by the service account resource identifier (OAuth ID),” Hunters said in a blog post, “and not the specific private keys associated with the service account identity object”.
Depending on the OAuth scopes of a particular delegation, an unauthorised user could then steal emails from Gmail, exfiltrate data from Google Drive, or even snoop on meetings through Google Calendar.
What makes the flaw worse is that GCP Service account keys are created without an expiry date by default, which could lead to a threat actor creating a long-lasting backdoor. The access is also easy to hide since the creation of any new account keys or delegation rules is easy to miss among the many legitimate authorisation entries, while some IT teams may not even be aware that domain-wide delegation is even a thing to be aware of.
Finally, since any activity is on behalf of another user, unauthorised activity is harder to detect via audit logs.
“The potential consequences of malicious actors misusing domain-wide delegation are severe,” said Hunters’ Yonatan Khanashvili in a statement.
“Instead of affecting just a single identity, as with individual OAuth consent, exploiting DWD with existing delegation can impact every identity within the Workspace domain.”
The flaw – which Hunters has dubbed DeleFriend – was reported to Google as part of its bug bounty program, and Hunters has been working with Google’s security team to create a solution to the issue.
There is currently no fix in place.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
