Salvato in:
Dettagli Bibliografici
Autori principali: Wan, Liuhuo, Yan, Chuan, Meng, Mark Huasong, Wang, Kailong, Wang, Haoyu, Bai, Guangdong, Dong, Jin Song
Natura: Preprint
Pubblicazione: 2025
Soggetti:
Accesso online:https://arxiv.org/abs/2506.17317
Tags: Aggiungi Tag
Nessun Tag, puoi essere il primo ad aggiungerne!!
_version_ 1866918066731876352
author Wan, Liuhuo
Yan, Chuan
Meng, Mark Huasong
Wang, Kailong
Wang, Haoyu
Bai, Guangdong
Dong, Jin Song
author_facet Wan, Liuhuo
Yan, Chuan
Meng, Mark Huasong
Wang, Kailong
Wang, Haoyu
Bai, Guangdong
Dong, Jin Song
contents Nowadays team workspaces are widely adopted for multi-user collaboration and digital resource management. To further broaden real-world applications, mainstream team workspaces platforms, such as Google Workspace and Microsoft OneDrive, allow third-party applications (referred to as add-ons) to be integrated into their workspaces, significantly extending the functionality of team workspaces. The powerful multi-user collaboration capabilities and integration of add-ons make team workspaces a central hub for managing shared resources and protecting them against unauthorized access. Due to the collaboration features of team workspaces, add-ons involved in collaborations may bypass the permission isolation enforced by the administrator, unlike in single-user permission management. This paper aims to investigate the permission management landscape of team workspaces add-ons. To this end, we perform an in-depth analysis of the enforced access control mechanism inherent in this ecosystem, considering both multi-user and cross-app features. We identify three potential security risks that can be exploited to cause permission escalation. We then systematically reveal the landscape of permission escalation risks in the current ecosystem. Specifically, we propose an automated tool, TAI, to systematically test all possible interactions within this ecosystem. Our evaluation reveals that permission escalation vulnerabilities are widespread in this ecosystem, with 41 interactions identified as problematic. Our findings should raise an alert to both the team workspaces platforms and third-party developers.
format Preprint
id arxiv_https___arxiv_org_abs_2506_17317
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Beyond the Scope: Security Testing of Permission Management in Team Workspace
Wan, Liuhuo
Yan, Chuan
Meng, Mark Huasong
Wang, Kailong
Wang, Haoyu
Bai, Guangdong
Dong, Jin Song
Cryptography and Security
Nowadays team workspaces are widely adopted for multi-user collaboration and digital resource management. To further broaden real-world applications, mainstream team workspaces platforms, such as Google Workspace and Microsoft OneDrive, allow third-party applications (referred to as add-ons) to be integrated into their workspaces, significantly extending the functionality of team workspaces. The powerful multi-user collaboration capabilities and integration of add-ons make team workspaces a central hub for managing shared resources and protecting them against unauthorized access. Due to the collaboration features of team workspaces, add-ons involved in collaborations may bypass the permission isolation enforced by the administrator, unlike in single-user permission management. This paper aims to investigate the permission management landscape of team workspaces add-ons. To this end, we perform an in-depth analysis of the enforced access control mechanism inherent in this ecosystem, considering both multi-user and cross-app features. We identify three potential security risks that can be exploited to cause permission escalation. We then systematically reveal the landscape of permission escalation risks in the current ecosystem. Specifically, we propose an automated tool, TAI, to systematically test all possible interactions within this ecosystem. Our evaluation reveals that permission escalation vulnerabilities are widespread in this ecosystem, with 41 interactions identified as problematic. Our findings should raise an alert to both the team workspaces platforms and third-party developers.
title Beyond the Scope: Security Testing of Permission Management in Team Workspace
topic Cryptography and Security
url https://arxiv.org/abs/2506.17317