Researchers at Hunters identified a significant design flaw within a key Google Workspace capability. Despite this, Google minimizes the discovery, asserting that there are no fundamental problems, emphasizing the importance of each company safeguarding endpoints using available tools. As reported by The Hacker News, the flaw resides in the domain-wide delegation (DWD) feature. Hackers purportedly exploit it to elevate privileges and access Workspace APIs without super admin permissions.
Google’s Rebuttal: No Fundamental Issues
Google dismisses any fundamental problems, asserting that the reported flaw is manageable through endpoint protection tools. Despite this, cybersecurity researchers at Hunters expose a vulnerability named DeleFriend in the domain-wide delegation (DWD) feature.
According to the researchers, the flaw arises from the configuration of domain delegation, which relies on the OAuth ID rather than the private keys associated with the service account identity object. Exploitation could lead to email theft, data exfiltration from Google Drive, and unauthorized actions within Google Workspace APIs.
The researchers emphasize the severity, stating that threat actors with low privileges could misuse domain-wide delegation, potentially impacting every identity within the Workspace domain. They demonstrate the risk with a proof-of-concept (PoC) showcasing abuse scenarios.
Google maintains its stance, declaring, “This report does not identify an underlying security issue in our products.” The company advocates minimizing account privileges as a preventive measure against such attacks.
