![]() ![]() Yes, you could impose some order by adding files to folders, but this does not actually change the underlying structure. By its very nature there's no real structure to Google Drive: it's just a big pot of files. They've applied the same approach to Google Drive.ĭon't expect Drive to look tidy. "A malicious insider or an external attacker with stolen credentials can use this access token to impersonate Google Workspace users, granting unauthorized access to their data or to perform operations on their behalf.Google's most famous product is, of course, a search engine. "A GCP identity with the necessary permission can generate an access token to a delegated user," security researcher Zohar Zigdon said. Palo Alto Networks Unit 42, in a new analysis published on November 30, 2023, said it also found the same issue with the Google Workspace domain-wide delegation feature, and that it has been discussing the "security risk" with Google since June 2023. (The story was updated after publication to include a statement from Google.) Update "Instead of affecting just a single identity, as with individual OAuth consent, exploiting DWD with existing delegation can impact every identity within the Workspace domain. "The potential consequences of malicious actors misusing domain-wide delegation are severe," Hunters security researcher Yonatan Khanashvili said. Hunters has also made available a proof-of-concept (PoC) that can be utilized to detect DWD misconfigurations. Successful exploitation of the flaw could allow exfiltration of sensitive data from Google services like Gmail, Drive, Calendar, and others. ![]() To put it differently, an IAM identity that has access to create new private keys to a relevant GCP service account resource that has existing domain-wide delegation permission can be leveraged to create a fresh private key, which can be used to perform API calls to Google Workspace on behalf of other identities in the domain. Doing so is key to combating these types of attacks.”ĭomain-wide delegation, per Google, is a "powerful feature" that allows third-party and internal apps to access users' data across an organization's Google Workspace environment. “As a best practice, we encourage users to make sure all accounts have the least amount of privilege possible (see guidance here). “This report does not identify an underlying security issue in our products,” it said. ![]() When reached for comment, Google disputed the characterization of the issue as a design flaw. ![]() The design weakness – which remains active to this date – has been codenamed DeleFriend for its ability to manipulate existing delegations in the Google Cloud Platform (GCP) and Google Workspace without possessing super admin privileges. "Such exploitation could result in theft of emails from Gmail, data exfiltration from Google Drive, or other unauthorized actions within Google Workspace APIs on all of the identities in the target domain," cybersecurity firm Hunters said in a technical report shared with The Hacker News. Cybersecurity researchers have detailed a "severe design flaw" in Google Workspace's domain-wide delegation ( DWD) feature that could be exploited by threat actors to facilitate privilege escalation and obtain unauthorized access to Workspace APIs without super admin privileges. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |