Researchers Claim Design Flaw in Google Workspace Puts Organizations at Risk

Google is disputing a security vendor's report this week about an apparent design weakness in Google Workspace that puts users at risk of data theft and other potential security issues. According to Hunters Security, a flaw in Google Workspace's domain-wide delegation feature gives attackers a way to steal email from Gmail, exfiltrate data from Google Drive, and take other unauthorized actions within Google Workspace APIs on all identities in a targeted domain. Researchers at Hunters this week released proof-of-concept code on GitHub to demonstrate how an attacker could potentially exploit the issue to execute a variety of malicious actions against customers of Google Cloud Platform services. Google rejected Hunters' characterization of the issue as a design flaw. "As a best practice, we encourage users to make sure all accounts have the least amount of privilege possible. Doing so is key to combating these types of attacks." "DeleFriend" Threat Hunters has dubbed the alleged flaw as "DeleFriend" and described it as enabling an attacker to manipulate existing delegations in Google Cloud Platform and Google Workspace without needing to be a Super Admin - as is usually required for creating new delegations. The flaw gives attackers a way to search for and identify Google service accounts with domain-wide delegations, and then escalate privileges, Hunters said in its post on its findings. "The root cause lies in the fact that the domain delegation configuration is determined by the service account resource identifier, and not the specific private keys associated with the service account identity object," the security vendor noted. This allows attackers to create numerous JSON Web Tokens with different OAuth scopes - or predefined access rules - to try and identify service accounts that have domain-wide delegation enabled, the vendor noted. Domain wide delegation is a Google Workspace feature that an administrator can use to grant an application or service account access to user data in a domain. The goal is to allow certain apps and service accounts the ability to access a user's data without requiring explicit permission from each user each time. According to Google, "a service account with delegated authority can impersonate any user, including users with access to Cloud Search." The issue that Hunters Security discovered basically gives an attacker a way to search for and find GCP service accounts with domain-wide delegation enabled on Google Workspace. They can then use the service accounts to take a variety of actions on behalf of each user in the domain. This can include quietly escalating privileges, establishing persistence, gaining unauthorized access to data and services, modifying data, impersonating users, and monitoring meetings in Google Calendar. "A compromised GCP service account key with DWD enabled can be used to perform API calls on all of the identities in the target Workspace domain," Hunters said. "The range of possible actions varies based on the OAuth scopes of the delegation." The necessary prerequisites for an attack include the attacker having initial access to a GCP IAM user, with permission to generate private keys for service accounts. This specific permission can be exploited for Domain-Wide delegation abuse, resulting in a complete takeover of the Google Workspace domain, says Yonatan Khanashvili, threat researcher at Hunters' Team Axon. Proof-of-Concept Exploit The PoC exploit - also dubbed DeleFriend - is for the OAuth delegation attack the researchers discovered. It's designed to show how an attacker can fuzz existing JWT combinations to automatically find and abuse DWD-enabled service accounts on Google Cloud Platform. An attacker could use the PoC code to enumerate all the GCP projects in an environment, identify all service accounts associated with these projects, and identify the accounts to which a currently authenticated user might have access. It also checks the role permissions of those who have access to the service account to see if anyone might have the ability to programmatically generate new private keys for an existing service account with domain wide delegation. The PoC then shows how an attacker could create a fresh private key to impersonate and access different user accounts. What makes the vulnerability problematic is that GCP service account keys by default don't have an expiry date - which means any fresh keys that an attacker creates will likely enable long-term persistence. Any new service account keys or setting of a new delegation rule will likely be easy to hide and so will any API calls made using the keys, Hunters said. "Using this tool, red teams, pen testers, and security researchers can simulate attacks and locate vulnerable attack paths of GCP IAM users to existing delegations in their GCP Projects," Hunters Security said. Hunters Security researchers informed Google about the DeleFriend issue in August and worked with Google's product and security teams to explore ways to potentially mitigate the threat. According to Hunters, Google has not yet resolved the issue. "We have proposed several ideas to enhance Google's design, with the primary suggestion being to modify the delegation configuration to depend on a specific private key, rather than an entire service account," Khanashvili says.

This Cyber News was published on www.darkreading.com. Publication date: Thu, 30 Nov 2023 20:25:01 +0000


Cyber News related to Researchers Claim Design Flaw in Google Workspace Puts Organizations at Risk

Researchers Claim Design Flaw in Google Workspace Puts Organizations at Risk - Google is disputing a security vendor's report this week about an apparent design weakness in Google Workspace that puts users at risk of data theft and other potential security issues. According to Hunters Security, a flaw in Google Workspace's ...
10 months ago Darkreading.com
Cybersecurity for Art and Design Schools - In the digital age, art and design schools face unique cybersecurity challenges. This article aims to shed light on the importance of cybersecurity in art and design schools and provide insights into safeguarding digital portfolios and ensuring ...
9 months ago Securityzap.com
Google Workspace Marketplace: 4 Tips for Choosing the Best Apps - An Independent Security Verification badge is one indication that an app should go to the top of your list when evaluating options in the Google Workspace Marketplace. We may be compensated by vendors who appear on this page through methods such as ...
10 months ago Techrepublic.com
Master Security by Building on Compliance with A Risk-Centric Approach - In recent years, a confluence of circumstances has led to a sharp rise in IT risk for many organizations. That's why a proactive approach to seeing, understanding, and acting on risk is key to improving the effectiveness of defenses in place to meet ...
9 months ago Cyberdefensemagazine.com
DeleFriend Weakness Puts Google Workspace Security at Risk - Security researchers have uncovered a new design flaw in the Google Workspace Domain-Wide Delegation feature. Named "DeleFriend" by Hunters' Team Axon, the vulnerability could potentially expose Google Workspace to unauthorized access and privilege ...
10 months ago Infosecurity-magazine.com
16 top ERM software vendors to consider in 2024 - Enterprise risk management software helps organizations identify, mitigate and remediate business risks, which can lead to improved business performance. The risk management market is rapidly evolving from separate tools across different risk domains ...
8 months ago Techtarget.com
ProcessUnity Introduces Industry's All-In-One Third-Party Risk Management Platform - PRESS RELEASE. BOSTON-(BUSINESS WIRE)- ProcessUnity, provider of comprehensive end-to-end third-party risk management and cybersecurity solutions to leading enterprises, today announced the completed integration of the Global Risk Exchange. The newly ...
8 months ago Darkreading.com
Google Cloud Next 2024: New Data Center Chip Joins Ecosystem - Google Cloud announced a new enterprise subscription for Chrome and a bevy of generative AI add-ons for Google Workspace during the Cloud Next '24 conference, held in Las Vegas from April 9 - 11. Overall, Google Cloud is putting its Gemini generative ...
6 months ago Techrepublic.com
Key elements for a successful cyber risk management strategy - In this Help Net Security interview, Yoav Nathaniel, CEO at Silk Security, discusses the evolution of cyber risk management strategies and practices, uncovering common mistakes and highlighting key components for successful risk resolution. Nathaniel ...
8 months ago Helpnetsecurity.com
Third-Party Security Assessments: Vendor Risk Management - As businesses rely more heavily on external vendors to provide critical services and support, the importance of effective vendor risk management strategies becomes paramount. This article explores the significance of third-party security assessments, ...
8 months ago Securityzap.com
Three Things to Know About the New SEC Rules on Sharing Information and Breach Disclosure Deadlines - Recently, the Securities and Exchange Commission adopted rules about the handling and reporting of cyber risks and breaches. With these new guidelines and regulations, public companies and organizations must disclose cybersecurity incidents ...
8 months ago Cyberdefensemagazine.com
A Cybersecurity Risk Assessment Guide for Leaders - Now more than ever, keeping your cyber risk in check is crucial. In the first half of 2022's Cyber Risk Index, 85% of the survey's 4,100 global respondents said it's somewhat to very likely they will experience a cyber attack in the next 12 months. ...
1 year ago Trendmicro.com
Critical Start Implements Cyber Risk Assessments With Peer Benchmarking and Prioritization Engine - PRESS RELEASE. PLANO, Texas, Jan. 11, 2024 /PRNewswire/ - Today, Critical Start, a leading provider of Managed Detection and Response cybersecurity solutions and pioneer of Managed Cyber Risk Reduction, announced general availability of Critical ...
9 months ago Darkreading.com
Key Takeaways from the Gartner® Market Guide for Insider Risk Management - Insider risk incidents are on the rise and becoming more costly to contain. As a result, earlier this year, Gartner predicted that 50% of all medium to large enterprises would adopt insider risk programs. The report reveals several key findings about ...
9 months ago Securityboulevard.com
How to Complete an IT Risk Assessment - An effective security strategy needs to put managing risk at the heart of its approach. An IT risk assessment process is used by organizations to identify and prioritize the most pressing risks to their IT environment. Naturally, it focuses on IT ...
9 months ago Heimdalsecurity.com
Denmark orders schools to stop sending student data to Google - The Danish data protection authority has issued an injunction regarding student data being funneled to Google through the use of Chromebooks and Google Workspace services in the country's schools. The matter was brought to the agency's attention ...
8 months ago Bleepingcomputer.com
Flaw in Wi-Fi-Standard Can Enable SSID Confusion Attacks - Researchers at Belgium's KU Leuven discovered a fundamental design flaw in the IEEE 802.11 Wi-Fi standard that gives attackers a way to trick victims into connecting with a less secure wireless network than the one to which they intended to connect. ...
4 months ago Darkreading.com
A Plan to Protect Critical Infrastructure from 21st Century Threats - On April 30th, the White House released National Security Memorandum-22 on Critical Infrastructure Security and Resilience, which updates national policy on how the U.S. government protects and secures critical infrastructure from cyber and ...
4 months ago Cisa.gov
Understanding zero-trust design philosophy and principles - In this Help Net Security interview, Phil Vachon, Head of Infrastructure in the Office of the CTO at Bloomberg, discusses the varying definitions of zero trust among security professionals and companies, emphasizing its broad design philosophy. ...
9 months ago Helpnetsecurity.com
The ONE Thing All Modern SaaS Risk Management Programs Do - Reducing SaaS risk is, without a doubt, a difficult challenge. Gaining visibility into all the SaaS apps used across an enterprise is hard enough, but it becomes an even greater challenge when only a portion of the apps go through the company's ...
5 months ago Securityboulevard.com
Cybersecurity Performance Goals: Assessing How CPGs Help Organizations Reduce Cyber Risk - In October 2022, CISA released the Cybersecurity Performance Goals to help organizations of all sizes and at all levels of cyber maturity become confident in their cybersecurity posture and reduce business risk. Earlier this summer, CISA outlined ...
10 months ago Cisa.gov
Enhancing PCI DSS Compliance: The Urgent Need for Risk-Based Prioritization - Keeping U.S. commercial critical national infrastructure organizations safe is vital to national security, and it's never been more top of mind as international conflicts and cyberattacks increase and create tensions for businesses, governments, and ...
7 months ago Cyberdefensemagazine.com
Ahead of Regulatory Wave: Google's Pivotal Announcement for EU Users - Users in the European Union will be able to prevent Google services from sharing their data across different services if they do not wish to share their data. Google and five other large technology companies must comply with the EU's Digital Markets ...
8 months ago Cysecurity.news
Google Workspace Announced New Password Policies, What is Changing - Google Workspace will no longer support the sign-in method for third-party apps or devices that require users to share their Google username and password. Google Workspace has announced new password policies that will impact how users and third-party ...
1 week ago Gbhackers.com
How Healthcare Organizations can use ASPM to Fill CSPM Coverage Gaps and Save Money - In recent years, healthcare organizations have increasingly moved their healthcare information systems applications and infrastructure to the cloud to take advantage of its scalability, flexibility and cost-effectiveness. To mitigate these risks, ...
9 months ago Securityboulevard.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)