As organizations migrate to Google Workspace (formally G Suite) as their chosen SaaS-based productivity suite, they are looking to use pre-built and custom integrations to maximize their Google Workspace benefits. Employees can connect their Gmail, Google Calendar, Google Drive, etc. with third-party vendors by consenting to 3rd party apps with OAuth tokens and/or Google Workspace Marketplace apps. These apps can be used to improve business productivity, from scheduling meetings, to optimizing their inbox, to integrating analysis tools with Google Docs and Google Sheets.
In addition, administrators can configure organization-wide access tokens leveraging the Domain Wide Delegation functionality that administrators can consent to in order to impersonate any user in the Google Workspace tenant. Lastly, citizen developers can leverage the built-in low-code development platform - Google App Scripts - to automate business workflows by integrating multiple data sources.
While Google Workspace is inherently secure, third-party vendors who have access to it through these methods can be a weak link. Inherently risky or over-privileged OAuth tokens, etc. can be exploited to gain the keys to the kingdom, placing Google Workspace customers at risk of data breaches and account exposure.
Supply chain access attacks against Google Workspace are not properly covered by existing security approaches such as IdP (Identity Providers), CASB (Cloud Access Security Broker) and SSPM (SaaS Security Posture Management) solutions that focus on human-to-SaaS access controls and neglect the critical growing non-human SaaS-to-SaaS third-party integration layer.
In the past, researchers analyzed the permissions requested by Google Workspace Marketplace apps and found that many apps that have access to sensitive data can communicate with undisclosed external services. Attackers have realized that they can leverage this attack surface and in the famous “Google Defender” consent phishing campaign that tricked millions to consent to a malicious third-party OAuth app. In DefCon 2021, Matthew Bryant showed in his “Hacking G Suite: The Power Of Dark Apps Script Magic” talk how attackers can leverage Google App Scripts to bypass Google Workspace security controls. As the central productivity suite for organizations, Google Workspace is a fertile ground for custom developed integrations, by developers and citizen developers alike. The more custom integrations an organization has developed, the more likely it is to find misconfigurations such as over-privilege, or improper secret storage practices such as poor tokens/secrets handling.
Valence seamlessly integrates with your Google Workspace environment and helps you discover your SaaS mesh attack surface and manage the risks associated with it: