BOSTON, MASS. and TEL AVIV, ISRAEL, November 28, 2023 – A severe design flaw in Google Workspace’s domain-wide delegation feature discovered by threat hunting experts from Hunters’ Team Axon, can allow attackers to misuse existing delegations, enabling privilege escalation and unauthorized access to Workspace APIs without Super Admin privileges.
This kind of attack might compromise all of the identities in the target domain and lead to unwanted access to their Gmail messages, data extracted from Google Drive, or other Google Workspace API-related activities. Responsibly, Hunters informed Google of this and collaborated extensively with them before publicizing their findings.
Delegation between domains allows for full access delegation across Google Workspace apps and Google Cloud Platform (GCP) identity objects. To rephrase, it allows GCP identities to act on behalf of other Workspace users in Google SaaS apps like Gmail, Google Calendar, Google Drive, and more.
The design vulnerability, which the Hunters team has named “DeleFriend,” enables attackers to modify existing delegations in Google Cloud Platform and Google Workspace even if they do not have the high-privilege Super Admin role on Workspace, which is necessary to create new delegations.
Creating multiple JSON web tokens (JWTs) with different OAuth scopes is possible using less privileged access to a specific GCP project. The goal is to find the right combination of private key pairs and authorized OAuth scopes to indicate that the service account has enabled domain-wide delegation.
This is because the service account resource identifier, rather than the private keys connected to the service account identity object, determines the domain delegation configuration (OAuth ID).
Additionally, no restrictions for fuzzing JWT combinations were implemented on the API level, which does not restrict the option of enumerating numerous options for finding and taking over existing delegations.
This flaw poses a special risk due to potential impact described above and is amplified by the following:
- Long Life: The creation of keys for GCP Service accounts does not include an expiration date by default. This quality makes them perfect for creating backdoors and guaranteeing their longevity.
- Easy to hide: Subtleties like putting up delegation rules in the API authorization page or creating new service account keys for existing IAMs are simple to hide. This occurs because these sites usually include several valid entries that aren’t checked well enough.
- Awareness: IT and Security departments may not always be cognizant of the domain-wide delegation feature. They might especially be unaware of its potential for malicious abuse.
- Hard to detect: Since delegated API calls are created on behalf of the target identity, the API calls will be logged with the victim details in the corresponding GWS audit logs. This makes it challenging to identify such activities.
“Malicious actors’ misuse of domain-wide delegation might have serious implications. Hunters’ Team Axon’s Yonatan Khanashvili explains that, unlike with individual OAuth permission, abusing DWD with current delegation might damage any identity inside the Workspace domain.
Various actions can be performed depending on the delegation’s OAuth scopes. Consider the following examples: Google Calendar meeting monitoring, Gmail email theft, and Drive data exfiltration.
The target Service Accounts require a certain GCP authorization to carry out the attack technique. Hunters found that many organizations routinely provide such permissions, making this attack tactic quite frequent among enterprises that fail to secure their GCP resources. As Khanashvili put it, “organizations can dramatically minimize the impact of the attack method” by following best practices and carefully managing rights and resources.
Hunters has created a proof-of-concept tool (full details are included in the full research) to assist organizations in detecting DWD misconfigurations, increasing awareness, and reducing DeleFriend’s exploitation risks. Using this tool, red teams, pen testers, and security researchers can simulate attacks and locate vulnerable attack paths of GCP IAM users to existing delegations in their GCP Projects to evaluate (and then improve) the security risk and posture of their Workspace and GCP environments.
Hunters’ Team Axon has also compiled comprehensive research that lays out exactly how the vulnerability works as well as recommendations for thorough threat hunting, detection techniques, and best practices for countering domain-wide delegation attacks.
Hunters responsibly reported DeleFriend to Google as part of Google’s “Bug Hunters” program in August, and are collaborating closely with Google’s security and product teams to explore appropriate mitigation strategies. Currently, Google has yet to resolve the design flaw.
Read the full research here, and follow Hunters’ Team Axon on Twitter.
About Hunters
Hunters delivers a Security Operations Center (SOC) Platform that reduces risk, complexity, and cost for security teams. A SIEM alternative, Hunters SOC Platform provides data ingestion, built-in and always up-to-date threat detection, and automated correlation and investigation capabilities, minimizing the time to understand and respond to real threats.
Organizations like Booking.com, ChargePoint, Yext, Upwork and Cimpress leverage Hunters SOC Platform to empower their security teams. Hunters is backed by leading VCs and strategic investors including Stripes, YL Ventures, DTCP, Cisco Investments, Bessemer Venture Partners, U.S. Venture Partners (USVP), Microsoft’s venture fund M12, Blumberg Capital, Snowflake, Databricks, and Okta.
Contact
Yael Macias
[email protected]