Smart home devices under €10?! It’s unfathomable, but Ikea made it a reality

0
[ad_1]

Remember several years ago when starting a smart home sounded almost as expensive as buying a home? Well, smart home devices have dropped in price and rose in accessibility over the years, making it easier and cheaper to start your smart home. Ikea just unveiled a collection of very affordable smart home devices; by affordable, we mean under €10!

One thing to note is that the US prices for these devices aren’t known as of yet. It’s possible that the prices could be under $10 USD, but there’s no telling at this point. In any case, these devices are still going to be quite affordable compared to many of the alternatives on the market.

Ikea just unveiled some extremely affordable smart home devices

According to The Verge, Ikea released three different devices. They’re convenient sensors that will report back to your smart home hub and keep you informed. These are the Zigbee sensors, and neither of them crosses the €10 mark.

Starting off, we have the Vallhorn (€7.99); this is a motion sensor. That’s pretty self-explanatory, but it’s a pretty powerful device. It’s meant to activate Ikea smart lights whenever it senses motion. Out of the box, it can be set to activate up to 10 lights. This device is IP44 water and dust-resistant, and it can be used inside and outside. Lastly, the Vallhorn takes three AAA batteries.

Next up, there’s Parasoll (€9.99) This is a window and door sensor, and it can be programmed to activate Ikea smart lights as well. There are two parts to this device like most other door/window sensors. When the two parts are separated, it will activate the lights. This could be used to turn on light when you walk into a room or alert you if a window has been opened.

Last on the list, we have Badring (€9.99). This is a water leakage detector. This one is super important if you’re dealing with an appliance that has a tendency to leak. It doesn’t trigger lights. Rather, it has a built-in siren that will fire off when there’s water. Also, you’ll get a smartphone notification.

Compatibility

When it comes to compatibility, you won’t be able to use the Badring or Parosoll with the Trådfri smart home hub. However, all three of them are compatible with the Dirigera hub, as it’s newer. We’re still waiting for the US prices for these devices, so you’ll want to keep an eye out for them.

We’re also waiting for Ikea to finally bring Matter support. This will make its ecosystem more accessible to people.


[ad_2]
Source link

Save $200 on the unlocked Motorola Edge+ 2023

0
[ad_1]

The 2023 edition of the Motorola Edge+ is now available on sale for $200 off. The Motorola Edge+ is an unlocked device that can be used on any US network. Which means you can use it on AT&T, Verizon, and T-Mobile. You can also use it on any of the smaller carriers, including the MVNO options from those big three.

The phone should also work with Google Fi. The Motorola Edge+ 2023 usually retails for $799.99. But because of the discount it’s being reduced in price to $599.99. Which is a really good discount when you look at what this phone offers. First up, this phone has oodles of internal storage space. At 512GB you will probably struggle to fill the phone up with stuff. Which is a good thing because it means you’ll never run out of room. So, take more pictures. Record more video. And download more games. Enjoy the device because you shouldn’t have to worry about space for anything.

This device also has some amazing battery life. Motorola says it should last days on a single charge. In our review we found it would last through at least one to one and a half days with moderate usage and still have around half the battery life left. Which is still pretty good. Especially when you factor in the 68W turbo charging, which lets you get a full battery from 0% in under an hour.

Overall this is a great flagship phone available at an awesome price. And with lots of great extra bonuses like Dolby Atmos support, a Snapdragon 8 Gen2 processor, and a large 6.67-inch pOLED screen with a 165Hz refresh rate. Which makes this phone good for mobile gaming too. You can snag this deal from the link below if you’re looking for a great upgrade at a reasonable price.

Motorola Edge+ 2023 – Amazon


[ad_2]
Source link

Design Flaw in Domain-Wide Delegation Could Leave Google Workspace Vulnerable

0
[ad_1]

BOSTON, MASS. and TEL AVIV, ISRAEL, November 28, 2023 – A severe design flaw in Google Workspace’s domain-wide delegation feature discovered by threat hunting experts from Hunters’ Team Axon, can allow attackers to misuse existing delegations, enabling privilege escalation and unauthorized access to Workspace APIs without Super Admin privileges.

This kind of hacking could lead to the theft of emails from Gmail, data from Google Drive, or other illegal activities in the Google Workspace APIs for all users in the target domain. Hunters told Google about this in a responsible way and worked closely with them before putting out this study.

Domain-wide delegation lets Google Cloud Platform (GCP) identity objects and Google Workspace apps delegate all of their tasks. For example, it lets GCP accounts do things on behalf of other Workspace users in Google SaaS apps like Gmail, Google Calendar, Google Drive, and more.

The design flaw, which the Hunters team has named “DeleFriend,” lets attackers change current delegations in GCP and Google Workspace without having the Super Admin role on Workspace, which is needed to make new delegates.

Instead, with less access to a target GCP project, they can make a lot of JSON web tokens (JWTs) with different OAuth scopes. The goal is to find the right mix of private key pairs and authorized OAuth scopes that show the service account has domain-wide delegation turned on.

The main reason for this is that the domain transfer setup is based on the service account resource identifier (OAuth ID), not the private keys that are linked to the service account identity object.

Furthermore, there were no limits put on the fuzzing of JWT pairs at the API level. This means that there are a lot of ways to find and take over current delegations.


This flaw poses a special risk due to potential impact described above and is amplified by the following:

  • Long Life: By default, GCP Service account keys are created without an expiry date. This feature makes them ideal for establishing backdoors and ensuring long-term persistence.
  • Easy to hide: The creation of new service account keys for existing IAMs or, alternatively, the setting of a delegation rule within the API authorization page is easy to conceal. This is because these pages typically host a wide array of legitimate entries, which are not examined thoroughly enough.
  • Awareness: IT and Security departments may not always be cognizant of the domain-wide delegation feature. They might especially be unaware of its potential for malicious abuse.
  • Hard to detect: Since delegated API calls are created on behalf of the target identity, the API calls will be logged with the victim details in the corresponding GWS audit logs. This makes it challenging to identify such activities. 

“The potential consequences of malicious actors misusing domain-wide delegation are severe. Instead of affecting just a single identity, as with individual OAuth consent, exploiting DWD with existing delegation can impact every identity within the Workspace domain,” says Yonatan Khanashvili of Hunters’ Team Axon.

The range of possible actions varies based on the OAuth scopes of the delegation. For instance, email theft from Gmail, data exfiltration from the drive, or monitor meetings from Google Calendar.

In order to execute the attack method, a particular GCP permission is needed on the target Service Accounts. However, Hunters observed that such permission is not an uncommon practice in organizations making this attack technique highly prevalent in organizations that don’t maintain a security posture in their GCP resources. “By adhering to best practices, and managing permissions and resources smartly, organizations can dramatically minimize the impact of the attack method” Khanashvili continued. 

Hunters has created a proof-of-concept tool (full details are included in the full research) to assist organizations in detecting DWD misconfigurations, increasing awareness, and reducing DeleFriend’s exploitation risks. Using this tool, red teams, pen testers, and security researchers can simulate attacks and locate vulnerable attack paths of GCP IAM users to existing delegations in their GCP Projects to evaluate (and then improve) the security risk and posture of their Workspace and GCP environments. 

Hunters’ Team Axon has also compiled comprehensive research that lays out exactly how the vulnerability works as well as recommendations for thorough threat hunting, detection techniques, and best practices for countering domain-wide delegation attacks.

Hunters responsibly reported DeleFriend to Google as part of Google’s “Bug Hunters” program in August, and are collaborating closely with Google’s security and product teams to explore appropriate mitigation strategies. Currently, Google has yet to resolve the design flaw.

Read the full research here, and follow Hunters’ Team Axon on Twitter.

About Hunters

Hunters delivers a Security Operations Center (SOC) Platform that reduces risk, complexity, and cost for security teams. A SIEM alternative, Hunters SOC Platform provides data ingestion, built-in and always up-to-date threat detection, and automated correlation and investigation capabilities, minimizing the time to understand and respond to real threats.

Organizations like Booking.com, ChargePoint, Yext, Upwork and Cimpress leverage Hunters SOC Platform to empower their security teams. Hunters is backed by leading VCs and strategic investors including Stripes, YL Ventures, DTCP, Cisco Investments, Bessemer Venture Partners, U.S. Venture Partners (USVP), Microsoft’s venture fund M12, Blumberg Capital, Snowflake, Databricks, and Okta.

Contact
Yael Macias
[email protected]


[ad_2]
Source link

Free Evernote users might see a drastic drop in usability for the app

0
[ad_1]

Evernote is one of the oldest and most feature-packed notetaking applications still alive today. It was first launched back in 2004, 19 years ago, and it’s been a go-to solution for people wanting to keep their lives and business affairs in order. However, OG users of the platform might be tempted to jump ship if they’re on the free plan. Evernote is testing a note limit for free users.

The platform has several payment tiers that users can purchase to boost usability and productivity. This includes being able to make larger notes and upload more data to the servers each month. The cheapest plan is $14.99/month ($129.99/year) and it lets you upload up to 10GB of files each month, and your notes can be up to 200MB large. There are a bunch more perks that you can sink your teeth into.

The most expensive plan costs $17.99/month ($169.99/year) and it doubles the monthly storage along with bringing more powerful perks. You can read more about the price plans on the Evernote prices page.

Evernote is testing a note limit

Free Evernote users are able to create as many notes as they want currently. They can’t be as large as notes from paid users, but that hasn’t stopped veteran users from accumulating hundreds of notes over the years. Free users are able to have a pretty complete notetaking experience.

However, that could change in the near future. You’ll want to take this with a pinch of salt, as we’re talking about a limited test. An Evernote user told TechCrunch that they saw a popup telling them that they’re limited to creating only 50 notes and one notebook. If they want to unlock unlimited notes, they’ll need to pay for one of the plans.

Evernote responded to the matter and said that it’s only testing this change on 1% of its user base. We’re not sure where these tests are taking place or how long they’re going to last. All we know is that 1% of the company’s user base is not happy now.

The all-important question

So, if I have more than 50 notes already, what happens when I get hit with the limit? That’s the question that people are asking. Well, if you have more than 50 notes, which is a possibility if you’ve been using this app since 2011, you will still have access to all of your notes. You’ll still be able to view, manage, and edit your notes. You just won’t be able to create new notes unless you fork over $15/month.

At this point, we don’t know if the company is going to go through with this change. It’s looking to see if the folks in the test will be tempted to hop on a plan, deal with the note limit, or drop the elephant once and for all. Only time will tell.


[ad_2]
Source link

Chinese Hackers Spent 2+Years Looting Secrets

0
[ad_1]

For over two years, a hacker group linked to China had uninterrupted access to NXP, the Dutch chip manufacturer’s computer network.

They target chips to exploit vulnerabilities in hardware, enabling unauthorized access to systems or extracting sensitive data. 

The Norwegian news agency NRC reported that a Chinese-linked hacker group, a Dutch semiconductor giant, recently breached the NXP’s network.

Manipulating chips could allow threat actors to compromise digital devices’ foundation, posing serious security threats and risks.

Besides this, the most shocking thing about this event is, that the hackers held access to the breached network from late 2017 to early 2020.

Document
Free Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Chinese Hackers Stolen Chip Designs

Chimera hackers, linked to China, secretly accessed NXP’s network for 2.5 years, allegedly stealing chip designs. NXP, Europe’s largest chipmaker, only uncovered the breach when a similar attack hit KLM subsidiary Transavia.

NXP gained influence post-2015 by acquiring Freescale, and not only that, they are also renowned and notable for:-

  • Mifare chips in Dutch public transport
  • Powering iPhone’s Apple Pay

In September 2019, Transavia’s reservation systems were breached, revealing links to NXP. However, to successfully invade the network, the operators of Chimera used:-

  • ChimeRAR tool
  • Leaked credentials
  • Brute force attack

By altering the phone numbers, the double authentication security measures were bypassed by the hackers. Not only that, they patiently stole data every few weeks and sneakily uploaded it to secured cloud storage services.

Here below, we have mentioned all the cloud storage services that they used:-

  • Microsoft’s OneDrive
  • Dropbox
  • Google Drive

NXP acknowledges IP theft but claims no material damage as stolen data is too complex to replicate designs easily, and besides this, no public disclosure is deemed necessary, as reported by NRC.

For more security and to prevent future incidents, NXP highlights via TomsHardware the following security measures:-

  • Implementation of enhanced monitoring systems.
  • Tightens data controls.
  • Implementation of more security layers for the protection of intellectual assets.
  • Proper maintenance of network integrity.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.


[ad_2]
Source link

Google Workspace Vulnerable to Takeover Due to Domain-Wide Delegation Flaw

0
[ad_1]

Cybersecurity researchers at Hunters have created a proof-of-concept tool to assist organizations in detecting DWD misconfigurations, increasing awareness, and reducing DeleFriend’s exploitation risks.

BOSTON, MASS. and TEL AVIV, ISRAEL, November 28, 2023 – A severe design flaw in Google Workspace’s domain-wide delegation feature discovered by threat-hunting experts from Hunters’ Team Axon, can allow attackers to misuse existing delegations, enabling privilege escalation and unauthorized access to Workspace APIs without Super Admin privileges.

Such exploitation could result in the theft of emails from Gmail, data exfiltration from Google Drive, or other unauthorized actions within Google Workspace APIs on all of the identities in the target domain. Hunters have responsibly disclosed this to Google and worked closely with them prior to publishing this research.

Domain-wide delegation permits a comprehensive delegation between Google Cloud Platform (GCP) identity objects and Google Workspace applications. In other words, it enables GCP identities to execute tasks on Google SaaS applications, such as Gmail, Google Calendar, Google Drive, and more, on behalf of other Workspace users.

The design flaw, which the team at Hunters has dubbed “DeleFriend,” allows potential attackers to manipulate existing delegations in GCP and Google Workspace without possessing the high-privilege Super Admin role on Workspace, which is essential for creating new delegations.

Instead, with less privileged access to a target GCP project, they can create numerous JSON web tokens (JWTs) composed of different OAuth scopes, aiming to pinpoint successful combinations of private key pairs and authorized OAuth scopes which indicate that the service account has domain-wide delegation enabled.

The root cause lies in the fact that the domain delegation configuration is determined by the service account resource identifier (OAuth ID), and not the specific private keys associated with the service account identity object.

Additionally, no restrictions for fuzzing of JWT combinations were implemented on the API level, which does not restrict the option of enumerating numerous options for finding and taking over existing delegations.


This flaw poses a special risk due to the potential impact described above and is amplified by the following:

  • Long Life: By default, GCP Service account keys are created without an expiry date. This feature makes them ideal for establishing backdoors and ensuring long-term persistence.
  • Easy to hide: The creation of new service account keys for existing IAMs or, alternatively, the setting of a delegation rule within the API authorization page is easy to conceal. This is because these pages typically host a wide array of legitimate entries, which are not examined thoroughly enough.
  • Awareness: IT and Security departments may not always be cognizant of the domain-wide delegation feature. They might especially be unaware of its potential for malicious abuse.
  • Hard to detect: Since delegated API calls are created on behalf of the target identity, the API calls will be logged with the victim details in the corresponding GWS audit logs. This makes it challenging to identify such activities.

“The potential consequences of malicious actors misusing domain-wide delegation are severe. Instead of affecting just a single identity, as with individual OAuth consent, exploiting DWD with existing delegation can impact every identity within the Workspace domain,” says Yonatan Khanashvili of Hunters’ Team Axon.

The range of possible actions varies based on the OAuth scopes of the delegation. For instance, email theft from Gmail, data exfiltration from the drive, or monitoring meetings from Google Calendar.

To execute the attack method, a particular GCP permission is needed on the target Service Accounts. However, Hunters observed that such permission is not an uncommon practice in organizations making this attack technique highly prevalent in organizations that don’t maintain a security posture in their GCP resources.

“By adhering to best practices, and managing permissions and resources smartly, organizations can dramatically minimize the impact of the attack method” Khanashvili continued.

Hunters has created a proof-of-concept tool (full details are included in the full research) to assist organizations in detecting DWD misconfigurations, increasing awareness, and reducing DeleFriend’s exploitation risks. Using this tool, red teams, pen testers, and security researchers can simulate attacks and locate vulnerable attack paths of GCP IAM users to existing delegations in their GCP Projects to evaluate (and then improve) the security risk and posture of their Workspace and GCP environments.

Hunters’ Team Axon has also compiled comprehensive research that lays out exactly how the vulnerability works as well as recommendations for thorough threat hunting, detection techniques, and best practices for countering domain-wide delegation attacks.

Hunters responsibly reported DeleFriend to Google as part of Google’s “Bug Hunters” program in August, and are collaborating closely with Google’s security and product teams to explore appropriate mitigation strategies. Currently, Google has yet to resolve the design flaw.

About Hunters

Hunters deliver a Security Operations Center (SOC) Platform that reduces risk, complexity, and cost for security teams. An SIEM alternative, Hunters SOC Platform provides data ingestion, built-in and always up-to-date threat detection, and automated correlation and investigation capabilities, minimizing the time to understand and respond to real threats.

Organizations like Booking.com, ChargePoint, Yext, Upwork and Cimpress leverage Hunters SOC Platform to empower their security teams. Hunters is backed by leading VCs and strategic investors including Stripes, YL Ventures, DTCP, Cisco Investments, Bessemer Venture Partners, U.S. Venture Partners (USVP), Microsoft’s venture fund M12, Blumberg Capital, Snowflake, Databricks, and Okta.

  1. APTs Exploiting WinRAR 0day Flaw Despite Patch Availability
  2. 15 Best SaaS SEO Experts That Will Help You Dominate Online
  3. Google Reveals ‘Reptar’ Vulnerability Threatening Intel Processors

[ad_2]
Source link

How To Cancel An Amazon Order

0
[ad_1]

Amazon makes it super easy to order just about anything, without much effort. Which can be pretty dangerous. Maybe you ordered something that you didn’t actually want or didn’t actually need. Well thankfully, it is also pretty easy to cancel and/or return the items you purchased by mistake.

Today, we’ll be going over how you can cancel items that you’ve ordered. But beware, if you wait too long after you make your purchase, you may not be able to cancel. As Amazon cannot cancel an order once it has shipped. But you can still return the product pretty easily and quickly. Just drop it off at Kohls’ or UPS and you’re good to go.

How To Cancel An Amazon Order via the Amazon website

Canceling an Amazon order on the website is pretty simple. First of all, login to your Amazon account.

Now in the upper-right hand corner, click on “Returns & Orders”.

Screen Shot 2021 08 04 at 10 22 57 AM 1

From here you’ll want to navigate to the order you want to cancel.

Once you’ve found the order, click on “Cancel Items”.

On the next page, make sure to click the items you want to cancel from that order. This is important if you have multiple items in that order that you do or don’t want to cancel.

You will also be asked for a reason for cancelling these products. This is optional.

Now, click on “Cancel Selected items in this order”.

And that’s it. You’re all set. If you ordered from Amazon directly, you should see it cancelled immediately. But if you cancelled from a third-party seller, it may take a bit longer to cancel. But you can check the Returns & Orders page periodically to see the progress of the cancellation.

How To Cancel An Amazon Order via the Amazon app

It’s also pretty simple to cancel an Amazon order via the app – either on Android or iOS. Firstly, open the Amazon app and login if you aren’t already.

Next, tap on the person icon near the middle of the bottom of the screen.

Then tap on “Your orders”

Screenshot 20210804 102457

Find and tap on the order that you want to cancel.

Next scroll down and tap on the “View or Change this order” button. It’ll be under the “Order Info” header.

Now tap on “Cancel items”. It’ll be near the top.

Make sure to tap on the items that you want to cancel from this order.

Now tap on “Cancel selected items”.

And now your order is cancelled. Or at least the products you wanted to cancel are cancelled. Again, if you purchased from Amazon directly, it’ll cancel immediately. But if you purchased from a third-party seller, it may take a bit longer. And you can check the Returns & Orders page to see the progress.


[ad_2]
Source link

Symphony to use Google’s AI services with banks and investment firms

0
[ad_1]

There always seems to be something new that generative AI can help with. Aside from generating your college essay, the technology has some serious business applications. Symphony, an enterprise-level communications company, will be using Google’s AI to help its clients with their communications compliance.

Right now, the US government is cracking down on companies for their lackluster communication tracking during the Covid-19 pandemic. It issued over $2 billion in fines for companies, though we don’t know which ones specifically. What we know is that no company wants to be fined, so changes are in order.

Symphony will use Google’s AI services

According to Reuters, Symphony is buddying up with Google, one of the largest AI companies in the world, to help companies keep up with their communication compliance. Symphony has industry-level communications solutions, so it has some major companies on its client list. These companies include JPMorgan and Goldman Sachs. The list includes these companies along with more than 1,000 more.

Being a communications company, it’s in the position to help its clients keep better track of their communications. As per the report, it tapped Google to help it with its Cloud9 voice product. The plan is to augment this tool with some speech-to-text capabilities so that calls can be transcribed and stored as text. So, essential communications within and without the companies can easily be stored.

The Cloud9 tool isn’t only being used by banks, as trading teams on the stock market are also under Symphony’s belt. These teams do a ton of communicating, and you never know what sort of malicious tactics are being discussed. Well, with better conversation retention, it will be easier for people to find suspicious activities.

Since this is generative AI we’re talking about, its uses go far beyond just transcribing. With tools like Bard, people can get summaries of the transcripts. If you’re trying to see what an entire hour-long phone call was about, you’ll easily be able to get a summary of that call instead of having to read every line.

It’s going to be a while before we see these enhancements hit the market, as the company’s CEO says that he hopes to bring these by Q2 2024.


[ad_2]
Source link

Hackers Behind High-Profile Ransomware Attacks Arrested

0
[ad_1]

Hackers launched ransomware attacks to extort money from the following two entities by encrypting their data and demanding a ransom payment for its release:-

  • Individuals
  • Organizations  

Here, cryptocurrency payments’ financial motivation and relative anonymity make them an attractive method for hackers.

Recently, with the help of international collaboration, law enforcement agencies successfully arrested the hackers behind high-profile ransomware attacks on 71 countries.

Document
Free Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Hackers Arrested

Amid Russia’s military aggression, the following law enforcement agencies united to dismantle the Ukraine-based ransomware operations:-

  • Global law enforcement
  • Europol
  • Eurojust
Law enforcement agencies (Source - Europol)
Law enforcement agencies (Source – Europol)

Joint global effort arrests ransomware ringleader in Kyiv, and the Europol-led operation with international investigators from the following countries to assist Ukrainian police:-

  • Norway
  • France
  • Germany
  • The US

The virtual command post of Europol in the Netherlands analyzes seized data, follows up on 2021 arrests, and identifies suspects in the latest Kyiv action.

Roles & TTPs

Here below, we have mentioned all the varied roles:-

  • Network compromise
  • Crypto payment laundering

Here below, we have mentioned all the techniques that the threat actors use:-

Besides this, security analysts managed to discover that threat actors have encrypted more than 250 servers and also observed notable significant losses surpassing hundreds of millions of euros.

Ransomware used

The suspected network behind global ransomware attacks targeted large corporations in 71 countries using the following ransomware:-

  • LockerGoga
  • MegaCortex
  • HIVE
  • Dharma

A joint investigation team formed by France, Norway, the UK, and Ukraine, backed by Eurojust. Europol’s EC3 facilitates cybercrime action; forensic analysis aids decryption tools for LockerGoga and MegaCortex ransomware.

Participating Agencies

Here below, we have mentioned all the law enforcement agencies that have participated:- 

  • Norway: National Criminal Investigation Service
  • France: Public Prosecutor’s Office of Paris, National Police
  • Netherlands: National Police, National Public Prosecution Service
  • Ukraine: Prosecutor General’s Office, National Police of Ukraine
  • Germany: Public Prosecutor’s Office of Stuttgart, Police Headquarters Reutlingen CID Esslingen
  • Switzerland: Swiss Federal Office of Police, Polizei Basel-Landschaft, Public Prosecutor’s Office of the canton of Zurich, Zurich Cantonal Police
  • United States: United States Secret Service (USSS), Federal Bureau of Investigation (FBI) 
  • Europol: European Cybercrime Centre (EC3)
  • Eurojust

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.


[ad_2]
Source link

Design Flaw in Domain-Wide Delegation Could Leave Google Workspace Vulnerable for Takeover, Says Cybersecurity Company Hunters

0
[ad_1]

A severe design flaw in Google Workspace’s domain-wide delegation feature discovered by threat hunting experts from Hunters’ Team Axon, can allow attackers to misuse existing delegations, enabling privilege escalation and unauthorized access to Workspace APIs without Super Admin privileges. Such exploitation could result in theft of emails from Gmail, data exfiltration from Google Drive, or other unauthorized actions within Google Workspace APIs on all of the identities in the target domain. Hunters has responsibly disclosed this to Google and worked closely with them prior to publishing this research.

Domain-wide delegation permits a comprehensive delegation between Google Cloud Platform (GCP) identity objects and Google Workspace applications. In other words, it enables GCP identities to execute tasks on Google SaaS applications, such as Gmail, Google Calendar, Google Drive, and more, on behalf of other Workspace users.

The design flaw, which the team at Hunters has dubbed “DeleFriend,” allows potential attackers to manipulate existing delegations in GCP and Google Workspace without possessing the high-privilege Super Admin role on Workspace, which is essential for creating new delegations. Instead, with less privileged access to a target GCP project, they can create numerous JSON web tokens (JWTs) composed of different OAuth scopes, aiming to pinpoint successful combinations of private key pairs and authorized OAuth scopes which indicate that the service account has domain-wide delegation enabled.

The root cause lies in the fact that the domain delegation configuration is determined by the service account resource identifier (OAuth ID), and not the specific private keys associated with the service account identity object.

Additionally, no restrictions for fuzzing of JWT combinations were implemented on the API level, which does not restrict the option of enumerating numerous options for finding and taking over existing delegations.


This flaw poses a special risk due to potential impact described above and is amplified by the following:

  • Long Life: By default, GCP Service account keys are created without an expiry date. This feature makes them ideal for establishing backdoors and ensuring long-term persistence.
  • Easy to hide: The creation of new service account keys for existing IAMs or, alternatively, the setting of a delegation rule within the API authorization page is easy to conceal. This is because these pages typically host a wide array of legitimate entries, which are not examined thoroughly enough.
  • Awareness: IT and Security departments may not always be cognizant of the domain-wide delegation feature. They might especially be unaware of its potential for malicious abuse.
  • Hard to detect: Since delegated API calls are created on behalf of the target identity, the API calls will be logged with the victim details in the corresponding GWS audit logs. This makes it challenging to identify such activities.

“The potential consequences of malicious actors misusing domain-wide delegation are severe. Instead of affecting just a single identity, as with individual OAuth consent, exploiting DWD with existing delegation can impact every identity within the Workspace domain,” says Yonatan Khanashvili of Hunters’ Team Axon.

The range of possible actions varies based on the OAuth scopes of the delegation. For instance, email theft from Gmail, data exfiltration from the drive, or monitor meetings from Google Calendar.

In order to execute the attack method, a particular GCP permission is needed on the target Service Accounts. However, Hunters observed that such permission is not an uncommon practice in organizations making this attack technique highly prevalent in organizations that don’t maintain a security posture in their GCP resources. “By adhering to best practices, and managing permissions and resources smartly, organizations can dramatically minimize the impact of the attack method” Khanashvili continued.

Hunters has created a proof-of-concept tool (full details are included in the full research) to assist organizations in detecting DWD misconfigurations, increasing awareness, and reducing DeleFriend’s exploitation risks. Using this tool, red teams, pen testers, and security researchers can simulate attacks and locate vulnerable attack paths of GCP IAM users to existing delegations in their GCP Projects to evaluate (and then improve) the security risk and posture of their Workspace and GCP environments.

Hunters’ Team Axon has also compiled comprehensive research that lays out exactly how the vulnerability works as well as recommendations for thorough threat hunting, detection techniques, and best practices for countering domain-wide delegation attacks.

Hunters responsibly reported DeleFriend to Google as part of Google’s “Bug Hunters” program in August, and are collaborating closely with Google’s security and product teams to explore appropriate mitigation strategies. Currently, Google has yet to resolve the design flaw.

Read the full research here, and follow Hunters’ Team Axon on Twitter.

About Hunters

Hunters delivers a Security Operations Center (SOC) Platform that reduces risk, complexity, and cost for security teams. A SIEM alternative, Hunters SOC Platform provides data ingestion, built-in and always up-to-date threat detection, and automated correlation and investigation capabilities, minimizing the time to understand and respond to real threats. Organizations like Booking.com, ChargePoint, Yext, Upwork and Cimpress leverage Hunters SOC Platform to empower their security teams. Hunters is backed by leading VCs and strategic investors including Stripes, YL Ventures, DTCP, Cisco Investments, Bessemer Venture Partners, U.S. Venture Partners (USVP), Microsoft’s venture fund M12, Blumberg Capital, Snowflake, Databricks, and Okta.

Contact

Yael Macias

[email protected]


[ad_2]
Source link