New research highlights a vulnerability in Google’s “Sign in with Google” authentication method that allows unauthorized access to sensitive data by exploiting abandoned startup domains, posing a potential risk to millions of American users.
New research uncovers vulnerability in Google authentication method
Dylan Ayrey, co-founder and CEO of Truffle Security, revealed that Google’s OAuth login fails to protect against someone purchasing a failed startup’s domain and recreating email accounts for former employees. While this does not grant access to old email data, it allows attackers to log into various Software-as-a-Service (SaaS) products used by the organization.
The research indicates that gaining access through these accounts could compromise users on platforms like OpenAI ChatGPT, Slack, Notion, Zoom, and several human resources (HR) systems. Sensitive data, including tax documents, pay stubs, insurance information, and social security numbers, could be exposed. Interview platforms may also contain private information regarding candidate feedback and hiring decisions.
Do not ignore: Adobe’s cybersecurity update could save your data
OAuth, or open authorization, is a standard that allows users to grant applications access to their data without sharing passwords. When signing into applications using “Sign in with Google,” Google provides claims about the user, including their email address and hosted domain. If authentication relies solely on these elements, it raises the risk of unauthorized access following a domain ownership change.
The issue was documented by Truffle Security researchers and reported to Google on September 30, 2024. Google initially classified the finding as a fraud and abuse issue rather than a flaw in OAuth. Following Ayrey’s presentation of the findings at Shmoocon in December, Google reopened the ticket and awarded Ayrey a bounty of $1,337. Nonetheless, the vulnerability remains unaddressed and exploitable.
Google’s OAuth ID token includes a unique user identifier termed the “sub claim,” which theoretically should prevent such problems. However, inconsistencies—roughly 0.04%—in the sub claim reliability compel services like Slack and Notion to rely solely on email and domain claims, which can be inherited by new domain owners, allowing impersonation of former employees.
Ayrey discovered 116,481 abandoned domains by scanning the Crunchbase database. He advocates for Google’s introduction of immutable identifiers to fortify account security. Additionally, SaaS providers could enforce measures like cross-referencing domain registration dates or requiring admin-level permissions for account access to enhance security.
However, implementing these security measures could entail operational costs, technical challenges, and user friction, leading to minimal incentive for adoption. The risk continues to expand, potentially impacting millions of employee accounts across startups, especially as 90% of tech startups are statistically expected to become defunct.
Currently, around six million Americans are employed at tech startups, with about 50% using Google Workspaces for email, implying that many users log into productivity tools using their Google accounts. Former employees are advised to remove sensitive information from accounts before leaving such organizations, avoiding the use of work accounts for personal registrations to mitigate future security exposures.
Featured image credit: Google
