Recent investigations have unveiled a serious vulnerability within Google’s “Sign in with Google” authentication system, which can be exploited through a peculiar loophole in domain ownership. This flaw potentially allows unauthorized users to access sensitive data associated with former employees of defunct companies.
Dylan Ayrey, co-founder and CEO of Truffle Security, highlighted that Google’s OAuth login system lacks sufficient safeguards against a scenario where an individual acquires a failed startup’s domain. This acquisition can lead to the reconstruction of email accounts belonging to previous employees, thereby providing access to crucial applications without the ability to access old emails, but nonetheless, offering entry into various SaaS platforms used by those organizations.
The ramifications of this vulnerability are significant, as it endangers the personal and professional data of millions of U.S. users. By simply purchasing a depreciated domain, an attacker could gain unauthorized access to accounts tied to critical services, including OpenAI’s ChatGPT, Slack, Notion, Zoom, and organizational HR systems.
Ayrey further pointed out that the most sensitive information at risk encompasses tax documents, pay stubs, and personal identification numbers. Additionally, platforms utilized for interviews contain sensitive candidate feedback, offers, and rejections that could be misused.
OAuth, which stands for Open Authorization, is a widely-adopted standard designed to allow users to grant applications access to their information on other platforms without sharing passwords. This is done through the utilization of access tokens that authenticate user identities and permit service access to designated resources. However, if an application depends solely on email addresses and domain information without additional identifiers, it becomes vulnerable to opportunistic attacks driven by changes in domain ownership.
Truffle has noted that while Google’s OAuth ID token includes a unique identifier known as the sub claim—which could theoretically mitigate such risks—its reliability has come into question. In contrast, Microsoft’s Entra ID tokens ensure security by including immutable values tied to users, offering a more robust means of identity verification.
Google’s initial stance on this vulnerability was that it was an intended aspect of the design. However, as of December 19, 2024, they acknowledged the issue by reopening the related bug report and presented Ayrey with a bounty of $1,337 for his findings. Google has since classified the flaw as an “abuse-related methodology with high impact.”
In response to the concerns raised, a Google representative urged customers to adhere to security best practices, including the immediate deletion of all user data when closing accounts to prevent unauthorized access. The company emphasized the importance of employing the sub field in their applications as the singular identifier to reinforce security against this vulnerability.
Ayrey poignantly summarized the issue, stating that once individuals leave a startup, they relinquish control over their data in various accounts, subjecting them to future risks associated with changes in domain ownership. He underscored the necessity for immutable identifiers to maintain user and workspace security in an increasingly complex digital landscape.
(This article has been updated to incorporate a response from Google.)
