Security Stop Press : Potential ‘DeleFriend’ Security Flaw Found in Google Workspace

Researchers from cyber security firm Hunters have reported finding a Google Workspace design flaw that could allow attackers to steal emails from Gmail, data from Google Drive, and carry out other unauthorised actions within Google Workspace APIs on all of the identities in a target domain.

The design flaw (a fact reportedly disputed by Google), dubbed ‘DeleFriend,’ can be exploited by a process that involves attackers being able to leverage an existing domain-wide delegation permission to create their own fresh private key to perform API calls to Google Workspace on behalf of other identities in the domain.

It’s been reported that the Workspace domain-wide delegation feature’s potential “security risk” has been known to Google since June. Palo Alto Networks Unit 42 suggest that a way to mitigate the risk is to position service accounts with domain delegation permissions within a higher-level folder in the Google Cloud Platform (GCP) hierarchy.

Security Stop Press : Google Workspace Vulnerabilities Uncovered

Researchers at Bitdefender have reported discovering vulnerabilities in Google Workspace and Google Cloud Platform which, after first compromising the local machine, could allow threat actors to extend their activities to a “chain reaction” network-wide breach, potentially leading to ransomware attacks or data exfiltration.

The researchers say that, for example, starting from a single compromised machine, threat actors could: “move to other cloned machines with GCPW installed, gain access to the cloud platform with custom permissions, or decrypt locally stored passwords to continue their attack beyond the Google ecosystem.”

Bitdefender says it “responsibly disclosed” its findings to Google but says Google has confirmed “no plans” to address the findings, because it is outside of their specific threat model.

The advice to businesses is to strengthen detection and response capabilities (e.g. by investing in threat detection solutions, to identify and respond to unusual or unauthorised access attempts swiftly) and to have an incident response plan to address local device compromises.