Reclaiming Abandoned Online Domains Through Google OAuth Services

A recent investigation revealed a critical security risk associated with Google’s authentication methods, particularly concerning the use of email addresses as unique identifiers. Security researcher Dylan Ayrey acquired abandoned domains from defunct startups, enabling him to recreate email addresses and potentially access sensitive third-party services linked to those companies.

Ayrey reported that he gained entry to various platforms, including HR systems and communication tools like Slack, by utilizing Google’s OAuth authentication. This access granted him the ability to retrieve sensitive data such as tax documents and Social Security numbers. The issue highlights a significant flaw in how domain ownership and emails are leveraged for authentication.

According to Ayrey, the vulnerability arises because third-party services using Google’s authentication protocols do not adequately account for changes in domain ownership. He emphasized that alterations in ownership would not be detected, thereby allowing unauthorized access. Google, on the other hand, argues that the responsibility lies with these third-party platforms, which should be utilizing a more robust unique ID token rather than relying on emails.

To strengthen their position, Google pointed out the inconsistency associated with the sub field, which is meant to serve as a unique identifier. Ayrey claimed that a minor percentage, around 0.04%, of logins may result in changes to this identifier, which could translate into significant account issues at larger organizations. Google has maintained that they see no evidence supporting claims of immutability regarding the sub field.

In response to being informed about the issue by Ayrey in September 2024, Google reportedly dismissed the concern, asserting that their authentication processes were operating as designed. Nevertheless, following his upcoming presentation at Shmoocon, Ayrey received a bounty of $1,337 from Google, in recognition of his work in uncovering this vulnerability.

Google has subsequently advised businesses that are shutting down to cancel their Google Workspace subscriptions, enhancing guidelines that assert email accounts should not serve as unique user identifiers. In their rebuttal, Google emphasized that comprehensive protections are already in place and that fasting changes were unnecessary.

These developments resonate with broader themes in cybersecurity, particularly concerning identity and access management vulnerabilities. As organizations increasingly rely on third-party services with OAuth implementations, this incident underscores the imperative for businesses to prioritize the security of their authentication frameworks and rethink their next steps to fortify against similar security lapses.

Additional reporting contributed by Information Security Media Group’s David Perera in Washington, D.C.