Security News > 2023 > November > Design flaw leaves Google Workspace vulnerable for takeover

Design flaw leaves Google Workspace vulnerable for takeover
2023-11-28 15:23

A design flaw in Google Workspace's domain-wide delegation feature, discovered by Hunters' Team Axon, can allow attackers to misuse existing delegations, enabling privilege escalation and unauthorized access to Workspace APIs without Super Admin privileges.

Such exploitation could result in the theft of emails from Gmail, data exfiltration from Google Drive, or other unauthorized actions within Google Workspace APIs on all the identities in the target domain.

Domain-wide delegation permits a comprehensive delegation between Google Cloud Platform identity objects and Google Workspace applications.

In other words, it enables GCP identities to execute tasks on Google SaaS applications, such as Gmail, Google Calendar, Google Drive, and more, on behalf of other Workspace users.

The design flaw, dubbed "DeleFriend," allows potential attackers to manipulate existing delegations in GCP and Google Workspace without possessing the high-privilege Super Admin role on Workspace, essential for creating new delegations.

Currently, Google has yet to resolve the design flaw.


News URL

https://www.helpnetsecurity.com/2023/11/28/design-flaw-google-workspace-vulnerable-takeover/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Google 141 994 4924 2874 1623 10415