Design flaw leaves Google Workspace vulnerable for takeover

2023-11-28 15:23

A design flaw in Google Workspace's domain-wide delegation feature, discovered by Hunters' Team Axon, can allow attackers to misuse existing delegations, enabling privilege escalation and unauthorized access to Workspace APIs without Super Admin privileges.

Such exploitation could result in the theft of emails from Gmail, data exfiltration from Google Drive, or other unauthorized actions within Google Workspace APIs on all the identities in the target domain.

Domain-wide delegation permits a comprehensive delegation between Google Cloud Platform identity objects and Google Workspace applications.

In other words, it enables GCP identities to execute tasks on Google SaaS applications, such as Gmail, Google Calendar, Google Drive, and more, on behalf of other Workspace users.

The design flaw, dubbed "DeleFriend," allows potential attackers to manipulate existing delegations in GCP and Google Workspace without possessing the high-privilege Super Admin role on Workspace, essential for creating new delegations.

Currently, Google has yet to resolve the design flaw.

News URL

https://www.helpnetsecurity.com/2023/11/28/design-flaw-google-workspace-vulnerable-takeover/

#google #takeover #workspace

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Google		141	994	4850	2758	1620	10222

News URL

Related news

Related vendor