Google Workspace's Design Flaw Exposes Organizations to Unauthorized Access
Cybersecurity researchers have discovered a "severe design flaw" in Google Workspace's domain-wide delegation feature that could be exploited by attackers to gain unauthorized access to Workspace APIs without super admin privileges. The flaw, codenamed DeleFriend, allows threat actors to manipulate existing delegations in the Google Cloud Platform and Google Workspace. By creating numerous JSON web tokens, attackers can pinpoint successful combinations of private key pairs and authorized OAuth scopes, enabling them to perform API calls on behalf of other identities in the domain. Successful exploitation of the flaw could result in the theft of emails, data exfiltration, and unauthorized actions within Google Workspace APIs.