A design flaw in Google Workspace’s domain-wide delegation feature, discovered by Hunters’ Team Axon, can allow attackers to misuse existing delegations, enabling privilege escalation and unauthorized access to Workspace APIs without Super Admin privileges. Such exploitation could result in the theft of emails from Gmail, data exfiltration from Google Drive, or other unauthorized actions within Google Workspace APIs on all the identities in the target domain. Snippet from DeleFriend: enumeration of custom roles Domain-wide delegation … More
The post Design flaw leaves Google Workspace vulnerable for takeover appeared first on Help Net Security.