Google OAuth Flaw Risks Millions via Abandoned Domains

Google OAuth Flaw Risks Millions via Abandoned Domains

Title: Google Authentication Vulnerability: New Research Exposes Risks in "Sign in with Google"

Introduction
Recent research has unveiled a significant vulnerability in Google’s "Sign in with Google" authentication process, posing risks to sensitive user data. This flaw exploits a quirk in domain ownership, allowing unauthorized access to old employee accounts. According to Truffle Security co-founder Dylan Ayrey, this deficiency could jeopardize the personal information of millions of Americans simply by acquiring a defunct domain linked to a failed startup.

Understanding the Vulnerability
The issue arises when an individual purchases a failed startup’s domain, which can be manipulated to recreate email accounts for former employees. While these new accounts cannot access old email data, they can still log into various software-as-a-service (SaaS) applications used by the organization, including popular platforms like OpenAI ChatGPT, Slack, Notion, and Zoom.

  • Sensitive Data at Risk: The vulnerability extends to sensitive accounts, particularly within HR systems that store crucial information such as:
    • Tax documents
    • Pay stubs
    • Insurance details
    • Social security numbers

Ayrey highlighted that interview platforms also hold sensitive candidate feedback and offer information, further escalating the risk.

The Mechanics of OAuth Authentication
OAuth, which stands for open authorization, allows users to grant third-party applications access to their information without sharing passwords. When a user signs in with Google, the service receives claims about the user, including their email and hosted domain. Unfortunately, if an application relies solely on this information for authentication, it can open the door for attackers to regain access to old employee accounts through domain changes.

Truffle Security noted that Google’s OAuth ID token includes a unique user identifier – the "sub claim" – which could prevent this issue. However, its reliability has been questioned. In contrast, Microsoft’s Entra ID tokens utilize immutable values for enhanced security.

Google’s Response to the Vulnerability
Initially, Google described the vulnerability as intended behavior. However, as of December 19, 2024, the company has reopened the bug report and awarded Ayrey a bounty of $1,337, acknowledging the issue as an "abuse-related methodology with high impact."

Ayrey stated, "Once you’ve been off-boarded from a startup, you lose your ability to protect your data in these accounts," emphasizing the need for immutable identifiers to prevent future compromises.

Conclusion
The findings from Truffle Security serve as a wake-up call for users relying on Google’s authentication system. As the digital landscape evolves, ensuring robust security measures is paramount. For more insights on cybersecurity and authentication vulnerabilities, consider reading our articles on related topics.

Call to Action
What are your thoughts on the security of online authentication methods? Share your views in the comments below, and follow us on Twitter and LinkedIn for more exclusive content on cybersecurity trends and insights.

Share it

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *