- La colaboración entre Seguridad y FinOps puede generar beneficios ocultos en la nube
- El papel del CIO en 2024: una retrospectiva del año en clave TI
- How control rooms help organizations and security management
- ITDM 2025 전망 | “효율경영 시대의 핵심 동력 ‘데이터 조직’··· 내년도 활약 무대 더 커진다” 쏘카 김상우 본부장
- 세일포인트 기고 | 2025년을 맞이하며… 머신 아이덴티티의 부상이 울리는 경종
DeleFriend Weakness Puts Google Workspace Security at Risk
Security researchers have uncovered a new design flaw in the Google Workspace Domain-Wide Delegation feature.
Named “DeleFriend” by Hunters’ Team Axon, the vulnerability could potentially expose Google Workspace to unauthorized access and privilege escalation in its APIs.
According to an advisory published by the team on Tuesday, exploiting this flaw could lead to the unauthorized access of emails in Gmail, extraction of data from Google Drive and other illicit activities within Google Workspace APIs across all identities in the targeted domain.
DeleFriend permits potential attackers to manipulate established delegations in both Google Cloud Platform (GCP) and Google Workspace. Notably, this manipulation can occur without the high-privilege Super Admin role in Workspace, typically necessary for creating new delegations.
Instead, by having lower-privileged access to a targeted GCP project, attackers can generate multiple JSON web tokens (JWTs) incorporating various OAuth scopes. The objective is to identify successful combinations of private key pairs and authorized OAuth scopes, signaling the activation of domain-wide delegation for the service account.
Team Axon’s research paper also introduced a proof-of-concept tool to evaluate security risks within Google Workspace and GCP environments in relation to this flaw.
“These types of vulnerabilities underscore why having independent visibility into SaaS Data Access is critical,” commented Tim Davis, vice president of solution consulting at DoControl.
“No SaaS platform will ever have perfect security, and this only reiterates the need for having tools in place to recognize, alert, and even automatically remediate when data in a SaaS platform is being accessed via previously unseen or abnormal means, whether by users, APIs, or 3rd party applications.”
Key recommendations outlined in the Hunters blog post include smart role management, limiting OAuth scopes, implementing detection engineering and maintaining a continuous examination of security postures.
The responsible disclosure timeline reveals that the vulnerability was reported to Google on August 7 2023, initially categorized as an “Abuse Risk,” and accepted on October 31 2023. Despite being disclosed, the flaw persists as of the latest update.
“Google is currently reviewing the vulnerability, but in the meantime, security teams using Google Workspace should audit their permissions and be sure that the GCP permissions are locked down to only accounts that need the access,” explained Adam Neel, cyber-research unit detection engineer at Critical Start.
“This permission is commonly given through the ‘Editor’ role, but custom roles could have it as well. To exploit this vulnerability, attackers must have initial access to a GCP IAM user. Without direct access to an account, attackers will be unable to exploit this vulnerability.”