Google is disputing a safety vendor’s report this week about an obvious design weak spot in Google Workspace that places customers liable to knowledge theft and different potential safety points.
In line with Hunters Safety, a flaw in Google Workspace’s domain-wide delegation characteristic offers attackers a approach to steal electronic mail from Gmail, exfiltrate knowledge from Google Drive, and take different unauthorized actions inside Google Workspace APIs on all identities in a focused area.
Researchers at Hunters this week launched proof-of-concept code on GitHub to display how an attacker might probably exploit the difficulty to execute quite a lot of malicious actions in opposition to clients of Google Cloud Platform (GCP) companies.
Google, nonetheless, rejected Hunters’ characterization of the difficulty as a design flaw. “This report doesn’t establish an underlying safety problem in our merchandise,” an organization spokesman mentioned. “As a greatest follow, we encourage customers to ensure all accounts have the least quantity of privilege doable (see steering right here). Doing so is vital to combating a lot of these assaults.”
“DeleFriend” Risk
Hunters has dubbed the alleged flaw as “DeleFriend” and described it as enabling an attacker to govern current delegations in Google Cloud Platform (GCP) and Google Workspace with no need to be a Tremendous Admin — as is often required for creating new delegations. The flaw offers attackers a approach to seek for and establish Google service accounts with domain-wide delegations, after which escalate privileges, Hunters mentioned in its put up on its findings.
“The foundation trigger lies in the truth that the area delegation configuration is set by the service account useful resource identifier (OAuth ID), and never the particular personal keys related to the service account id object,” the safety vendor famous. Moreover, no restrictions for fuzzing of [JSON Web Token] combos are carried out on the API degree, in response to Hunters. This enables attackers to create quite a few JSON Net Tokens with totally different OAuth scopes — or predefined entry guidelines — to try to establish service accounts which have domain-wide delegation enabled, the seller famous.
Area vast delegation is a Google Workspace characteristic that an administrator can use to grant an utility or service account entry to consumer knowledge in a site. The objective is to permit sure apps and repair accounts the flexibility to entry a consumer’s knowledge with out requiring express permission from every consumer every time. For instance, an administrator may delegate such entry to an utility that makes use of the Calendar utility programming interface so as to add occasions to a consumer’s calendar. In line with Google, “a service account with delegated authority can impersonate any consumer, together with customers with entry to Cloud Search.”
The difficulty that Hunters Safety found principally offers an attacker a approach to seek for and discover GCP service accounts with domain-wide delegation (DWD) enabled on Google Workspace. They’ll then use the service accounts to take quite a lot of actions on behalf of every consumer within the area. This will embrace quietly escalating privileges, establishing persistence, gaining unauthorized entry to knowledge and companies, modifying knowledge, impersonating customers, and monitoring conferences in Google Calendar.
“A compromised GCP service account key with DWD enabled can be utilized to carry out API calls on all the identities within the goal Workspace area,” Hunters mentioned. “The vary of doable actions varies primarily based on the OAuth scopes of the delegation.”
Proof-of-Idea Exploit
The PoC exploit — additionally dubbed DeleFriend — is for the OAuth delegation assault the researchers found. It is designed to point out how an attacker can fuzz current JWT combos to robotically discover and abuse DWD-enabled service accounts on Google Cloud Platform.
An attacker might use the PoC code to enumerate all of the GCP initiatives in an atmosphere, establish all service accounts related to these initiatives, and establish the accounts to which a at present authenticated consumer may need entry. It additionally checks the function permissions of those that have entry to the service account to see if anybody may need the flexibility to programmatically generate new personal keys for an current service account with area vast delegation.
The PoC then reveals how an attacker might create a recent personal key to impersonate and entry totally different consumer accounts.
What makes the vulnerability problematic is that GCP service account keys by default do not have an expiry date — which implies any recent keys that an attacker creates will probably allow long-term persistence. Any new service account keys or setting of a brand new delegation rule will probably be simple to cover and so will any API calls made utilizing the keys, Hunters mentioned.
“Utilizing this software, crimson groups, pen testers, and safety researchers can simulate assaults and find susceptible assault paths of GCP IAM customers to current delegations of their GCP Initiatives,” Hunters Safety mentioned. They’ll then consider and tighten the safety danger and posture of their Workspace and GCP environments, the corporate famous.
Hunters Safety researchers knowledgeable Google in regards to the DeleFriend problem in August and labored with Google’s product and safety groups to discover methods to probably mitigate the menace. In line with Hunters, Google has not but resolved the difficulty.