Summary
Unit 42 researchers discovered a security risk in Google Workspace's domain-wide delegation feature that allows a GCP identity with necessary permissions to generate access tokens to impersonate Google Workspace users and access their data. This mismatch between GCP permissions and Google Workspace access could be exploited by malicious insiders or attackers with stolen credentials.
Affected Services
Google Workspace
Remediation
Position service accounts with domain delegation permissions in higher-level folders in the GCP hierarchy to restrict access. Implement least privilege access and use Prisma Cloud for visibility, alerting and remediation of risky permissions.
Tracked CVEs
No tracked CVEs
References
https://www.hunters.security/en/blog/delefriend-a-newly-discovered-design-flaw-in-domain-wide-delegation-could-leave-google-workspace-vulnerable-for-takeoverhttps://medium.com/@lutzenfried/gcp-domain-wide-delegation-abuses-b82b8dd8cf15https://unit42.paloaltonetworks.com/critical-risk-in-google-workspace-delegation-feature/
Contributed by https://github.com/korniko98
Entry Status
Stub (AI-Generated)
Disclosure Date
Tue, Jun 27th, 2023
Exploitablity Period
Until patched
Known ITW Exploitation
-
Detection Methods
Monitor GCP and Google Workspace audit logs for suspicious service account key creation, authorization events, and granting of domain-wide delegation permissions. Use Cortex XDR and Prisma Cloud for anomaly detection and alerting.
Piercing Index Rating
-
Discovered by
Zohar Zigdon, Unit 42
