Attackers who gain privileges in a Google Cloud Platform (GCP) environment can potentially access critical data and systems by abusing a design flaw in domain-wide delegation (DWD), a feature that lets applications access user data across Google Workspace (GWS) apps such as Gmail, Google Calendar, and Google Drive.
In a blog post Nov. 28, Team Axon researchers at Hunters said they primarily focused on gaining a full understanding of the attack surface and most important, how security teams can detect it effectively. The design flaw and accompanying research paper were reported to Google in August as part of Google’s “Bug Hunters” program.
Team Axon researchers said the flaw remained active as of Nov. 28.
To help security teams proactively respond to this news, Team Axon introduced a new proof-of-concept tool that will allow for a full takeover of the GWS domain using relevant GCP role permissions. The researchers said with this tool, red teams, pen testers and security researchers can evaluate their security risks and improve the posture of their GWS and GCP environments.
Review Google Workspace permissions, say experts
While Google said it’s currently reviewing the vulnerability, security teams using GWS should in the meantime audit their permissions and make sure that the GCP permissions are locked down to only accounts that need the access, explained Adam Neel, cyber research unit detection engineer at Critical Start. Neel said this permission commonly gets executed through the "Editor" role, but custom roles could have it as well.
“To exploit this vulnerability attackers need to have initial access to a GCP IAM user, without direct access to an account attackers will be unable to exploit this vulnerability,” said Neel. “It’s challenging to detect this behavior due to use of API calls, so it’s important to stay proactive and cut down on GCP permissions wherever possible.”
Emily Phelps, director at Cyware, added that threat actors look for vulnerabilities and if they can use this design flaw to gain access to critical data or systems, then it makes sense for security teams to resolve it with some urgency. Phelps explained that GCP Service account keys are created without an expiry date, which could let adversaries establish long-term backdoors, enabling them to conduct malicious activity undetected.
“Organizations should consider taking immediate action to mitigate this threat, including modifying the current delegation requirements, implementing restrictions on JSON Web Token request frequencies, and critically reviewing and potentially revising the permissions granted to roles such as ‘Editor’ within GCP,” said Phelps.