A new study has uncovered a “flaw” in Google’s “Sign in with Google” authentication process that uses features in domain ownership to gain access to sensitive data.
“At Google OAuth a login doesn’t protect against someone buying a failed startup’s domain and using it to re-create email accounts for former employees.” Truffle Security Co-Founder and CEO Dylan Airey said in Monday’s report.
“And while you can’t access the old email data, you can use those accounts to log into all the different SaaS products that the organization used.”
The San Francisco-based company said the issue could have compromised the data of millions of US users simply by buying a defunct domain linked to the failed startup and gaining unauthorized access to old employee accounts linked to various programs such as OpenAI ChatGPT, Slack. , Notion, Zoom and even HR systems.
“The most sensitive accounts included HR systems that contained tax documents, forms, insurance information, Social Security numbers and more,” Airey said. “The interview platforms also contained sensitive information about candidate feedback, offers and rejections.”
OAuth, short for Open Authorization, refers to an open access delegation standard that allows users to allow websites or applications to access their information on other websites without having to provide their passwords. This is achieved by using an access token to verify the user’s identity and allow the service to access the resource for which the token is assigned.
When Sign in with Google is used to sign in to an app like Slack, Google sends the service a set of claims about the user, including their email address and hosted domain, which can then be used to sign users into their accounts.
This also means that if a service relies solely on these pieces of information to authenticate users, it also opens the door to a scenario where domain owner changes could allow an attacker to regain access to old employee accounts.
Truffle also noted that the Google OAuth ID token includes a unique user ID – sub-claim – this could theoretically prevent the problem, but it was found to be unreliable. It should be noted that Microsoft Entra ID tokens include sub or oid claims keep the value constant for each user.
While Google initially responded to the vulnerability disclosure by saying it was intentional behavior, it has since re-opened the bug report as of December 19, 2024, awarding Airey a $1,337 reward. He also described the issue as a “high-impact, abusive methodology.”
At the same time, software vendors cannot exploit vulnerabilities in Google’s OAuth implementation. Hacker News has reached out to Google for further comment, and we’ll update when we hear back.
“As an individual, once you’re kicked out of a startup, you lose the ability to protect your data in those accounts, and you’re subject to a fate that will befall the future of the startup and the domain,” Airey said. “Without immutable identities for users and workspaces, domain ownership changes will continue to compromise accounts.”
