Google OAuth Vulnerability: Millions of Users’ Data at Risk
Introduction
A recent study has revealed a "deficiency" in Google’s "Sign in with Google" authentication flow that exploits a quirk in domain ownership to gain access to sensitive data. This vulnerability allows an attacker to purchase a defunct domain associated with a failed startup and gain unauthorized access to old employee accounts related to various applications.
The Issue
Truffle Security co-founder and CEO Dylan Ayrey stated that Google’s OAuth login doesn’t protect against someone purchasing a failed startup’s domain and using it to re-create email accounts for former employees. This can lead to the unauthorized access of sensitive data, including tax documents, pay stubs, insurance information, social security numbers, and more.
How the Vulnerability Works
When "Sign in with Google" is used to sign in to an application such as Slack, Google sends the service a set of claims about the user, including their email address and the hosted domain. This information can be used to log users into their accounts. The vulnerability arises when domain ownership changes, allowing an attacker to regain access to old employee accounts.
The Impact
The most sensitive accounts included HR systems, which contained tax documents, pay stubs, insurance information, social security numbers, and more. Interview platforms also contained sensitive information about candidate feedback, offers, and rejections. The vulnerability has the potential to put millions of American users’ data at risk.
The Solution
Truffle Security pointed out that Google’s OAuth ID token includes a unique user identifier – the sub claim – that could theoretically prevent the problem. However, this has been found to be unreliable. Microsoft’s Entra ID tokens include the sub or oid claims to store an immutable value per user.
The Response
Google initially responded to the vulnerability disclosure by stating that it is intended behavior. However, it has since re-opened the bug report as of December 19, 2024, awarding Ayrey a bounty of $1,337. It has also qualified the issue as an "abuse-related methodology with high impact."
Conclusion
There are no protections that downstream software providers can take to protect against the vulnerability in Google’s OAuth implementation. The Hacker News has reached out to Google for further comment, and we will update the story if we hear back.
The Future of Data Protection
As an individual, once you’ve been off-boarded from a startup, you lose your ability to protect your data in these accounts, and you are subject to whatever fate befalls the future of the startup and domain. Without immutable identifiers for users and workspaces, domain ownership changes will continue to compromise accounts.
Stay Informed
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
