Google is disputing a security vendor’s report this week about an apparent design weakness in Google Workspace that puts users at risk of data theft and other potential security issues.
According to Hunters Security, a flaw in Google Workspace’s domain-wide delegation feature gives attackers a way to steal email from Gmail, exfiltrate data from Google Drive, and take other unauthorized actions within Google Workspace APIs on all identities in a targeted domain.
Forskere hos Hunters udgav i denne uge proof-of-concept-kode på GitHub for at demonstrere, hvordan en hacker potentielt kunne udnytte problemet til at udføre en række ondsindede handlinger mod kunder af Google Cloud Platform-tjenester (GCP).
Google, however, rejected Hunters’ characterization of the issue as a design flaw. “This report does not identify an underlying security issue in our products,” a company spokesman said. “As a best practice, we encourage users to make sure all accounts have the least amount of privilege possible (see guidance link.). Doing so is key to combating these types of attacks.”
“DeleFriend” Threat
Hunters has dubbed the alleged flaw as “DeleFriend” and described it as enabling an attacker to manipulate existing delegations in Google Cloud Platform (GCP) and Google Workspace without needing to be a Super Admin — as is usually required for creating new delegations. The flaw gives attackers a way to search for and identify Google service accounts with domain-wide delegations, and then escalate privileges, Hunters said in its post on its findings.
“The root cause lies in the fact that the domain delegation configuration is determined by the service account resource identifier (OAuth ID), and not the specific private keys associated with the service account identity object,” the security vendor noted. Additionally, no restrictions for fuzzing of [JSON Web Token] combinations are implemented at the API level, according to Hunters. This allows attackers to create numerous JSON Web Tokens with different OAuth scopes — or predefined access rules — to try and identify service accounts that have domain-wide delegation enabled, the vendor noted.
Domænedækkende delegation is a Google Workspace feature that an administrator can use to grant an application or service account access to user data in a domain. The goal is to allow certain apps and service accounts the ability to access a user’s data without requiring explicit permission from each user each time. For example, an administrator might delegate such access to an application that uses the Calendar application programming interface to add events to a user’s calendar. Ifølge Google, “a service account with delegated authority can impersonate any user, including users with access to Cloud Search.”
Det problem, som Hunters Security opdagede, giver dybest set en angriber en måde at søge efter og finde GCP-tjenestekonti med domænedækkende delegering (DWD) aktiveret på Google Workspace. De kan derefter bruge tjenestekonti til at udføre en række handlinger på vegne af hver bruger i domænet. Dette kan omfatte stille eskalering af privilegier, etablering af persistens, opnåelse af uautoriseret adgang til data og tjenester, ændring af data, efterligning af brugere og overvågning af møder i Google Kalender.
“A compromised GCP service account key with DWD enabled can be used to perform API calls on all of the identities in the target Workspace domain,” Hunters said. “The range of possible actions varies based on the OAuth scopes of the delegation.”
Proof-of-Concept udnyttelse
PoC udnytte — also dubbed DeleFriend — is for the OAuth delegation attack the researchers discovered. It’s designed to show how an attacker can fuzz existing JWT combinations to automatically find and abuse DWD-enabled service accounts on Google Cloud Platform.
En hacker kan bruge PoC-koden til at opregne alle GCP-projekter i et miljø, identificere alle tjenestekonti, der er knyttet til disse projekter, og identificere de konti, som en aktuelt godkendt bruger kan have adgang til. Den kontrollerer også rolletilladelserne for dem, der har adgang til tjenestekontoen, for at se, om nogen kan have mulighed for programmæssigt at generere nye private nøgler til en eksisterende tjenestekonto med delegering i hele domænet.
PoC viser derefter, hvordan en angriber kan oprette en ny privat nøgle for at efterligne og få adgang til forskellige brugerkonti.
What makes the vulnerability problematic is that GCP service account keys by default don’t have an expiry date — which means any fresh keys that an attacker creates will likely enable long-term persistence. Any new service account keys or setting of a new delegation rule will likely be easy to hide and so will any API calls made using the keys, Hunters said.
“Using this tool, red teams, pen testers, and security researchers can simulate attacks and locate vulnerable attack paths of GCP IAM users to existing delegations in their GCP Projects,” Hunters Security said. They can then evaluate and tighten the security risk and posture of their Workspace and GCP environments, the company noted.
Hunters Security researchers informed Google about the DeleFriend issue in August and worked with Google’s product and security teams to explore ways to potentially mitigate the threat. According to Hunters, Google has not yet resolved the issue.
- SEO Powered Content & PR Distribution. Bliv forstærket i dag.
- PlatoData.Network Vertical Generative Ai. Styrk dig selv. Adgang her.
- PlatoAiStream. Web3 intelligens. Viden forstærket. Adgang her.
- PlatoESG. Kulstof, CleanTech, Energi, Miljø, Solenergi, Affaldshåndtering. Adgang her.
- PlatoHealth. Bioteknologiske og kliniske forsøgs intelligens. Adgang her.
- Kilde: https://www.darkreading.com/cloud-security/vendor-claims-design-flaw-in-google-workspace-is-putting-organizations-at-risk
- :har
- :er
- :ikke
- a
- evne
- Om
- misbrug
- adgang
- Adgang til data
- Ifølge
- Konto
- Konti
- aktioner
- tilføje
- Derudover
- admin
- mod
- Alle
- påståede
- tillade
- tillader
- også
- beløb
- an
- ,
- enhver
- nogen
- api
- API'er
- tilsyneladende
- Anvendelse
- apps
- ER
- AS
- forbundet
- At
- angribe
- Angreb
- AUGUST
- autentificeret
- myndighed
- automatisk
- baseret
- I bund og grund
- BE
- vegne
- BEDSTE
- by
- Kalender
- Opkald
- CAN
- Årsag
- vis
- Kontrol
- krav
- Cloud
- Cloud platform
- kode
- bekæmpelse
- kombinationer
- selskab
- Kompromitteret
- Konfiguration
- kunne
- skabe
- skaber
- Oprettelse af
- For øjeblikket
- Kunder
- data
- Dato
- Standard
- delegation
- demonstrere
- beskrevet
- Design
- konstrueret
- bestemmes
- forskellige
- opdaget
- gør
- gør
- domæne
- Don
- køre
- døbt
- hver
- let
- muliggøre
- aktiveret
- muliggør
- tilskynde
- Miljø
- miljøer
- eskalere
- oprettelse
- Ether (ETH)
- evaluere
- begivenheder
- eksempel
- udføre
- eksisterende
- udløbet
- Exploit
- udforske
- Faktisk
- Feature
- Finde
- fund
- fejl
- Til
- frisk
- fra
- vinder
- GCP
- generere
- GitHub
- giver
- gmail
- mål
- Google Cloud
- Google Cloud Platform
- indrømme
- Have
- Skjule
- Hvordan
- Men
- HTTPS
- IAM
- ID
- identifikator
- identificere
- identiteter
- Identity
- if
- implementeret
- in
- omfatter
- Herunder
- informeret
- grænseflade
- spørgsmål
- spørgsmål
- IT
- ITS
- jpg
- json
- Jwt
- Nøgle
- nøgler
- mindst
- Niveau
- ligger
- Sandsynlig
- langsigtet
- lavet
- lave
- maerker
- midler
- møder
- måske
- afbøde
- overvågning
- behøve
- Ny
- ingen
- bemærkede
- talrige
- oauth
- objekt
- of
- on
- or
- organisationer
- Andet
- vores
- stier
- udføre
- tilladelse
- Tilladelser
- udholdenhed
- perron
- plato
- Platon Data Intelligence
- PlatoData
- PoC
- mulig
- Indlæg
- potentiale
- potentielt
- praksis
- private
- private nøgle
- Private nøgler
- privilegium
- privilegier
- Produkt
- Produkter
- Programmering
- projekter
- sætter
- roligt
- rækkevidde
- Rød
- Afvist..
- frigivet
- indberette
- påkrævet
- forskere
- løst
- ressource
- restriktioner
- Risiko
- roller
- rod
- Herske
- regler
- s
- Said
- Søg
- sikkerhed
- sikkerhedsforskere
- se
- tjeneste
- Tjenester
- indstilling
- Vis
- Shows
- So
- specifikke
- sådan
- Super
- sikker
- T
- Tag
- mål
- målrettet
- hold
- testere
- at
- tyveri
- deres
- derefter
- Disse
- de
- denne
- denne uge
- dem
- trussel
- stramme
- tid
- til
- token
- Tokens
- værktøj
- prøv
- typer
- uberettiget
- underliggende
- brug
- anvendte
- Bruger
- brugere
- bruger
- ved brug af
- sædvanligvis
- række
- sælger
- sårbarhed
- Sårbar
- Vej..
- måder
- we
- Svaghed
- web
- uge
- som
- WHO
- bred
- vilje
- med
- inden for
- uden
- arbejdede
- endnu
- zephyrnet