Keypoints
- Researchers from Team Axon identified a design weakness in Google Workspace’s Domain-Wide delegation capability that can be abused for takeover scenarios.
- The vulnerability allows existing delegations to be misused, enabling privilege escalation within an organization’s Workspace environment.
- Attackers can interact with Workspace APIs without needing Super Admin credentials by leveraging the identified flaw.
- The issue was reported to Google through the Bug Hunters program in August 2023 but remains unremediated at the time of reporting.
- Team Axon released a proof-of-concept tool, DeleFriend, to scan for misconfigurations and help organizations find exposed delegations.
- The research explains how Domain-Wide delegation works, demonstrates abuse techniques, and offers detection and hunting guidance to mitigate risk.
MITRE Techniques
- [T1203] Abuse Elevation Control Mechanism – The design flaw lets attackers escalate privileges by abusing delegations. (‘allows misuse of existing delegations, leading to potential privilege escalation’)
- [T1003] Credential Dumping – The issue can facilitate extraction or misuse of account credentials or tokens tied to delegated service accounts. (‘Extracts account login and credential information from operating systems and software.’)
- [T1071] Application Layer Protocol – The vulnerability enables use of application-layer APIs to interact with Workspace services for unauthorized actions. (‘Utilizes application layer protocols for command and control communications.’)
- [T1075] Service Account Abuse – Attackers can misuse service accounts and their delegated access to reach resources normally requiring higher privileges. (‘Misuses service accounts to gain unauthorized access to resources.’)
Indicators of Compromise
- [domain] Vendor/target domain – google.com
- [url] Reference URL – www.google.com
- [tool name] PoC scanner/tool – DeleFriend
- [feature] Vulnerable capability – Domain-Wide delegation
Team Axon’s research exposes a notable design problem in Google Workspace’s Domain-Wide delegation: an attacker can leverage legitimately granted delegations to perform actions that would normally require Super Admin privileges. The flaw, dubbed “DeleFriend” by the researchers, stems from how delegated service identities and permissions are handled, creating a pathway to escalate access without directly compromising an administrator account.
Domain-Wide delegation is intended to let administrators grant service accounts the ability to act on behalf of users across an organization for legitimate automation and integration tasks. However, Team Axon demonstrates that existing delegations can be repurposed or chained in unexpected ways, allowing an adversary who controls a lower-privileged entity to call Workspace APIs and perform sensitive operations. This misuse can bypass typical administrative controls and expand the potential impact of a single compromised credential or misconfiguration.
The researchers responsibly disclosed the issue to Google in August 2023 under the Bug Hunters program. At the time of publication, the design flaw remained unpatched, so organizations using delegated service accounts should assume the risk persists. To help defenders, Team Axon developed a proof-of-concept tool named DeleFriend, which scans environments for risky delegations and configuration patterns that an attacker could exploit.
The report also outlines practical detection and mitigation steps. It recommends auditing all service accounts and their delegated scopes, minimizing the use of broad or unnecessary delegations, rotating and tightly scoping service credentials, and monitoring API usage that deviates from expected service behavior. The researchers provide hunting queries and indicators to spot suspicious use of delegation, emphasizing that timely identification of exposed delegations reduces the likelihood of privilege escalation leading to takeover.
Organizations relying on Google Workspace integrations should review delegation practices immediately, run detection tools like the published proof-of-concept to surface misconfigurations, and apply least-privilege principles to service accounts. Because the vulnerability is structural rather than a simple misconfiguration, stakeholders should follow vendor guidance and maintain heightened monitoring until a formal remediation is released.