The Google Workspace DeleFriend Scandal: Unveiling a Severe Security Flaw Shaking the Foundations of User Data Protection

Cybersecurity researchers have uncovered a significant design flaw in Google Workspace's domain-wide delegation (DWD) feature, posing a serious threat to the security of user data and access within the Google Workspace environment. This flaw could potentially be exploited by threat actors to facilitate privilege escalation and gain unauthorized access to Workspace APIs without requiring super admin privileges.

The flaw, termed "DeleFriend," represents a severe vulnerability in the Google Cloud Platform (GCP) and Google Workspace, allowing manipulation of existing delegations without the need for super admin privileges.

Google describes domain-wide delegation as a "powerful feature" enabling third-party and internal apps to access users' data across a Google Workspace organization. However, the identified vulnerability stems from the configuration of domain delegation being tied to the service account resource identifier (OAuth ID), rather than the specific private keys associated with the service account identity object.

As a consequence, threat actors with limited access to a GCP project can exploit this weakness by creating numerous JSON web tokens (JWTs) with different OAuth scopes. This allows them to identify successful combinations of private key pairs and authorized OAuth scopes, indicating that the service account has domain-wide delegation enabled.

The flaw could be leveraged to create a fresh private key, granting the attacker the ability to perform API calls to Google Workspace on behalf of other identities in the domain. This poses a serious risk of unauthorized access, potentially leading to the theft of emails from Gmail, data exfiltration from Google Drive, or other malicious actions within Google Workspace APIs.

Hunters, a cybersecurity firm, has provided a technical report on the flaw and has even developed a proof-of-concept (PoC) to detect misconfigurations related to domain-wide delegation. The potential consequences of malicious actors exploiting this vulnerability are severe, affecting not just a single identity but potentially impacting every identity within the Workspace domain.

It is crucial for organizations using Google Workspace to stay informed about such security vulnerabilities and take necessary measures to mitigate the risks associated with domain-wide delegation.

Stay vigilant, stay secure.