Identity & Access Management,
Security Operations
Google Warns Against Using Emails as Unique Identifiers on Platforms
In a concerning revelation, a security researcher has demonstrated how the purchase of abandoned online domains associated with failed startups allowed him to reconstruct email addresses and gain access to sensitive third-party services. The implications of this situation underscore potential vulnerabilities in current identity management practices.
Dylan Ayrey, the researcher in question, detailed his findings in a recent report, describing how he successfully accessed platforms such as HR systems and Slack through the “Sign in with Google” option. This strategy led him to a trove of confidential records, including tax documents, payroll information, and Social Security numbers from the defunct businesses.
Ayrey attributes the significant security lapse to Google’s authentication methodology, specifically the reliance on domain ownership and email addresses. He pointed out that for third-party services that utilize Google’s sign-in feature, changes in domain ownership would not trigger any alerts or updates, allowing unauthorized access to previously secured accounts.
Contrary to Ayrey’s assertions, Google maintains that the root of the issue lies with the third-party services, which have inappropriately substituted email identifiers for a more robust Google sign-in ID token. According to Google, the sub field is intended to be a stable identifier, unaffected by changes in domain ownership.
Despite the potential for domain ownership changes to cause disruptions, Google asserts that the incidence of sub field alterations remains minimal—approximately 0.04% of all logins—though this statistic may translate into substantial account lockouts for larger organizations. Google representatives have expressed willingness to review any evidence disputing their claims regarding the stability of the sub field.
Following his initial contact with Google in September 2024 about these vulnerabilities, Ayrey noted that the company had declined to recognize the situation as a bug, insisting that the sign-in feature was functioning as designed. His subsequent presentation of these findings at the Shmoocon conference resulted in Google awarding him a bounty of $1,337, a nod to the hacker culture fond of numerical symbolism.
In response to the growing concerns about domain transitions, Google has urged organizations to properly manage their accounts, advising those closing down operations to cancel their Google Workspace subscriptions. The company has also reiterated its stance that email addresses should not serve as unique user identifiers to enhance security.
This situation exemplifies the risks associated with identity management system inadequacies, highlighting tactics from the MITRE ATT&CK framework such as initial access and credential dumping, which could feasibly characterize Ayrey’s exploitation method. Businesses must remain vigilant against potential vulnerabilities and take proactive steps to protect sensitive information from unauthorized access.
Reporting contributed by David Perera from Information Security Media Group in Washington, D.C.