Researchers Claim Design Flaw in Google Workspace Puts Organizations at Risk

Google is disputing a security vendor's report this week about an apparent design weakness in Google Workspace that puts users at risk of data theft and other potential security issues.

According to Hunters Security, a flaw in Google Workspace's domain-wide delegation feature gives attackers a way to steal email from Gmail, exfiltrate data from Google Drive, and take other unauthorized actions within Google Workspace APIs on all identities in a targeted domain.

Researchers at Hunters this week released proof-of-concept code on GitHub to demonstrate how an attacker could potentially exploit the issue to execute a variety of malicious actions against customers of Google Cloud Platform (GCP) services.

Google, however, rejected Hunters' characterization of the issue as a design flaw. "This report does not identify an underlying security issue in our products," a company spokesman said. "As a best practice, we encourage users to make sure all accounts have the least amount of privilege possible (see guidance here). Doing so is key to combating these types of attacks."

"DeleFriend" Threat

Hunters has dubbed the alleged flaw as "DeleFriend" and described it as enabling an attacker to manipulate existing delegations in Google Cloud Platform (GCP) and Google Workspace without needing to be a Super Admin — as is usually required for creating new delegations. The flaw gives attackers a way to search for and identify Google service accounts with domain-wide delegations, and then escalate privileges, Hunters said in its post on its findings.

"The root cause lies in the fact that the domain delegation configuration is determined by the service account resource identifier (OAuth ID), and not the specific private keys associated with the service account identity object," the security vendor noted. Additionally, no restrictions for fuzzing of [JSON Web Token] combinations are implemented at the API level, according to Hunters. This allows attackers to create numerous JSON Web Tokens with different OAuth scopes — or predefined access rules — to try and identify service accounts that have domain-wide delegation enabled, the vendor noted.

Domain wide delegation is a Google Workspace feature that an administrator can use to grant an application or service account access to user data in a domain. The goal is to allow certain apps and service accounts the ability to access a user's data without requiring explicit permission from each user each time. For example, an administrator might delegate such access to an application that uses the Calendar application programming interface to add events to a user's calendar. According to Google, "a service account with delegated authority can impersonate any user, including users with access to Cloud Search."

The issue that Hunters Security discovered basically gives an attacker a way to search for and find GCP service accounts with domain-wide delegation (DWD) enabled on Google Workspace. They can then use the service accounts to take a variety of actions on behalf of each user in the domain. This can include quietly escalating privileges, establishing persistence, gaining unauthorized access to data and services, modifying data, impersonating users, and monitoring meetings in Google Calendar.

"A compromised GCP service account key with DWD enabled can be used to perform API calls on all of the identities in the target Workspace domain," Hunters said. "The range of possible actions varies based on the OAuth scopes of the delegation."

The necessary prerequisites for an attack include the attacker having initial access to a GCP IAM user, with permission to generate private keys for service accounts. This specific permission can be exploited for Domain-Wide delegation abuse, resulting in a complete takeover of the Google Workspace domain, says Yonatan Khanashvili, threat researcher at Hunters’ Team Axon.

Proof-of-Concept Exploit

The PoC exploit — also dubbed DeleFriend — is for the OAuth delegation attack the researchers discovered. It's designed to show how an attacker can fuzz existing JWT combinations to automatically find and abuse DWD-enabled service accounts on Google Cloud Platform.

An attacker could use the PoC code to enumerate all the GCP projects in an environment, identify all service accounts associated with these projects, and identify the accounts to which a currently authenticated user might have access. It also checks the role permissions of those who have access to the service account to see if anyone might have the ability to programmatically generate new private keys for an existing service account with domain wide delegation.

The PoC then shows how an attacker could create a fresh private key to impersonate and access different user accounts.

"DeleFriend’s exploitation method enables the complete control of an entire Workspace domain," Khanashvili says. Executing this exploit manually is not straightforward, as it involves experimenting with various combinations of authorization, he adds. "However, with the POC we have released, this process can be automated, offering a simpler approach."

What makes the vulnerability problematic is that GCP service account keys by default don't have an expiry date — which means any fresh keys that an attacker creates will likely enable long-term persistence. Any new service account keys or setting of a new delegation rule will likely be easy to hide and so will any API calls made using the keys, Hunters said.

"Using this tool, red teams, pen testers, and security researchers can simulate attacks and locate vulnerable attack paths of GCP IAM users to existing delegations in their GCP Projects," Hunters Security said. They can then evaluate and tighten the security risk and posture of their Workspace and GCP environments, the company noted.

Hunters Security researchers informed Google about the DeleFriend issue in August and worked with Google's product and security teams to explore ways to potentially mitigate the threat. According to Hunters, Google has not yet resolved the issue.

"We have proposed several ideas to enhance Google's design, with the primary suggestion being to modify the delegation configuration to depend on a specific private key, rather than an entire service account," Khanashvili says. "Alternatively, making this an optional requirement could transfer the risk to the user." Additionally, some straightforward fixes include limiting the number of JWT combination requests using the same key in a short time frame, and revising the overly generous permissions associated with the Editor Role, he says.