Researchers from cyber security firm Hunters have reported finding a Google Workspace design flaw that could allow attackers to steal emails from Gmail, data from Google Drive, and carry out other unauthorised actions within Google Workspace APIs on all of the identities in a target domain.
The design flaw (a fact reportedly disputed by Google), dubbed ‘DeleFriend,’ can be exploited by a process that involves attackers being able to leverage an existing domain-wide delegation permission to create their own fresh private key to perform API calls to Google Workspace on behalf of other identities in the domain.
It’s been reported that the Workspace domain-wide delegation feature’s potential “security risk” has been known to Google since June. Palo Alto Networks Unit 42 suggest that a way to mitigate the risk is to position service accounts with domain delegation permissions within a higher-level folder in the Google Cloud Platform (GCP) hierarchy.