Delefriend Exposes Gmail & Google Drive Account Vulnerability

The company Google has refuted reports of a vulnerability in the design of Google Workspace, as identified by specialists from Hunters Security. The vulnerability, known as “Delefriend,” allows attackers to hijack Gmail emails, extract data from Google Drive, and carry out unauthorized actions within the Google Workspace API.

Hunters researchers have discovered that the Delefriend vulnerability enables attackers to manipulate existing delegations in Google Cloud Platform (GCP) and Google Workspace without requiring super-administrator status, which is typically needed to create new delegations. This vulnerability allows for the identification of Google accounts with global delegations and the escalation of privileges.

The issue stems from the fact that the domain delegation’s configuration is determined by the identifier of the Service Account resource (OAUTH ID), rather than specific encrypted keys associated with the service account’s object of identification. Additionally, there are no implemented restrictions at the API level regarding the combinations of Json Web Tokens (JWT), enabling cybercriminals to create numerous JSON web tokens with different OAUTH action areas or predetermined access rules to attempt the identification of accounts.

Simultaneously, an authorized account with delegated powers can impersonate any user, including those with access to Cloud Search.

/Reports, release notes, official announcements.