Skip to main content

Google Workspace apparently has an obvious flaw that could lead to cyberattacks

Cybersecurity researchers from Hunters said they discovered a “severe design flaw” in a powerful Google Workspace feature.

Google, however, downplayed the findings, saying there are no underlying issues and that it’s just a matter of each company protecting its endpoints with the tools at its disposal.

As reported by The Hacker News, researchers discovered a flaw in the domain-wide delegation (DWD) feature, which hackers can allegedly exploit to escalate privileges and gain access to Workspace APIs without super admin privileges. 

Reader Offer: $50 Amazon gift card with demo Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

No underlying issues, says Google

Domain-wide delegation allows third-party apps, as well as internal apps, to access user data in a Google Workspace environment. The researchers said the feature is flawed because domain delegation configuration is determined by the service account resource identifier (OAuth ID), instead of private keys associated with the service account identity object.

"Such exploitation could result in theft of emails from Gmail, data exfiltration from Google Drive, or other unauthorized actions within Google Workspace APIs on all of the identities in the target domain," the researchers said. The vulnerability was dubbed DeleFriend. 

This would allow threat actors with low privileges to "create numerous JSON web tokens (JWTs) composed of different OAuth scopes, aiming to pinpoint successful combinations of private key pairs and authorized OAuth scopes which indicate that the service account has domain-wide delegation enabled."

Consequently, threat actors could steal data from Gmail, Google Drive, and others. The researchers also created a proof-of-concept (PoC) to showcase how the flaw can be abused. 

"The potential consequences of malicious actors misusing domain-wide delegation are severe," Hunters security researcher Yonatan Khanashvili said. "Instead of affecting just a single identity, as with individual OAuth consent, exploiting DWD with existing delegation can impact every identity within the Workspace domain.

But Google is having none of it. “This report does not identify an underlying security issue in our products,” it told the publication. “As a best practice, we encourage users to make sure all accounts have the least amount of privilege possible (see guidance here). Doing so is key to combating these types of attacks.” 

More from TechRadar Pro



Comments

Post a Comment

Popular posts from this blog

Garmin's new radar-equipped tail light will keep you safe on your e-bike

Garmin's Varia bike radars are some of the most popular pieces of cycling tech around – and now the company has delivered its first rearview radar to have been specially designed for some of the best e-Bikes .   Garmin's Varia range mounts to the back of your bike and broadcasts a radar signal behind you, so you can get visual and audible alerts when something's overtaking you. Even better, the new Varia eRTL615 plugs directly into most e-bikes, with no battery required. Because the catchily-named Varia eRTL615 is also a tail light, it'll also make sure you're visible to other vehicles too, promising to emit a flashing or solid light that's visible from up to a mile away in daylight. To connect Garmin's new radar tail light to your e-bike, you'll need to pick the right Garmin adapter cable (which isn't included). You can buy power cables compatible with Bosch, Shimano, or USB-A terminals or connections, with more info on those available on Garmin...
Post a Comment
Read more

Revolution Software is using their own AI technology to remake Broken Sword

TechRadar Gaming is reporting live from Gamescom 2023 on the latest and greatest developments in gaming and hardware. Revolution Software announced at Gamescom 2023 that Broken Sword would be coming back, with Broken Sword - The Shadow of the Templars getting a full remake while a sixth title in the series is coming in the future too, under the title Broken Sword - Parzival’s Stone .  Speaking to TRG ahead of the announcement, Cecil talked about the studio’s plans for a Broken Sword remake and the sixth title in the series. Cecil is a larger-than-life character, who is able to talk about the studio’s plans with enthusiasm. It even carries a pocketful of stones to illustrate the plans for Parzival’s Stone , but he also talks about how Broken Sword - The Shadow of the Templars would be using AI to upscale.  Cecil wasn’t shy about the studio’s use of AI technology, but he gave a fairly robust explanation of why the game was using it. The AI technology will be used to upda...
Post a Comment
Read more

Hackers steal passwords, emails from hookup websites

Two gay hookup websites have been breached with sensitive and personal user data stolen and sold online, new reports have claimed. The databases, which are now being sold on dark web forums, were taken from platforms called TruckerSucker, and CityJerks. They contain enough personally identifiable information to engage in identity theft , such as usernames and passwords, email addresses, profile pictures, sexual preferences, birth dates, postal addresses, IP addresses, and bios. The passwords are encrypted, but according to TechCrunch, the algorithm is “weak” and could be broken by a more persistent hacker. The silent treatment HaveIBeenPwned founder Troy Hunt, who was tipped off on the leak, described the incident as a “typical forum breach, albeit with super sensitive content.”  However the content includes more than just identity data, as there are also messages users exchanged, including arranging meetings and describing their sexual preferences.  In total, more than...
Post a Comment
Read more