Design Flaw in Domain-Wide Delegation Could Leave Google Workspace Vulnerable for Takeover, Says Cybersecurity Company Hunters
Retrieved on:
torsdag, december 21, 2023
Cloud, Service account, Organization, JWt (Java web toolkit), API, JSON, Administrator, Google Workspace, GCP, Publishing, Google Cloud Platform, Security, Software as a service, OAuth, DWD, Posture, Theft, GWS, JWT, Google Drive, Iams, Long Life, Research, Google Calendar, Hunting, Mobile phone, Risk management, Nursing, Gmail, Workspace
Design Flaw in Domain-Wide Delegation Could Leave Google Workspace Vulnerable for Takeover, Says Cybersecurity Company Hunters
Key Points:
- Design Flaw in Domain-Wide Delegation Could Leave Google Workspace Vulnerable for Takeover, Says Cybersecurity Company Hunters
The issuer is solely responsible for the content of this announcement. - Domain-wide delegation permits a comprehensive delegation between Google Cloud Platform (GCP) identity objects and Google Workspace applications.
- In other words, it enables GCP identities to execute tasks on Google SaaS applications, such as Gmail, Google Calendar, Google Drive, and more, on behalf of other Workspace users.
- The design flaw, which the team at Hunters has dubbed “DeleFriend,” allows potential attackers to manipulate existing delegations in GCP and Google Workspace without possessing the high-privilege Super Admin role on Workspace, which is essential for creating new delegations.