Critical Flaw in Google’s OAuth System Exposes Sensitive Data of Defunct Startup Employees

2025-01-14

:
In today’s digital age, the convenience of “Sign in with Google” has become a staple for accessing countless online services. However, a recently uncovered vulnerability in Google’s OAuth system reveals a darker side to this convenience. Researchers have discovered that attackers can exploit abandoned domains of defunct startups to gain unauthorized access to sensitive data tied to former employee accounts on popular SaaS platforms. This alarming security gap, which remains unpatched, highlights the risks of inadequate domain management and the need for stronger identity verification measures.

—

of the

A critical vulnerability in Google’s OAuth “Sign in with Google” feature allows attackers to access sensitive data from former employees of defunct startups. Discovered by Trufflesecurity researchers and reported to Google in September 2023, the issue was initially dismissed as a “fraud and abuse” problem rather than an OAuth flaw. However, after the findings were presented at Shmoocon in December, Google acknowledged the issue, awarded a $1337 bounty, and reopened the case. Despite this, the vulnerability remains unpatched.

The flaw stems from the ability of attackers to purchase abandoned domains of failed startups and recreate email accounts for former employees. While this doesn’t grant access to past communications, it allows attackers to log into SaaS platforms like Slack, Notion, Zoom, and ChatGPT, as well as HR systems containing sensitive information such as tax documents and social security numbers.

Trufflesecurity’s investigation revealed that 116,481 defunct startup domains are available for purchase, posing a significant risk. Google’s OAuth system uses a “sub claim” to provide a unique identifier for users, but inconsistencies in this system force SaaS platforms to rely on email and domain claims, which can be exploited by new domain owners.

To mitigate the risk, researchers suggest implementing immutable identifiers, such as unique user and workspace IDs tied to the original organization. SaaS providers could also enforce additional measures like domain registration checks, admin-level approvals, or secondary authentication factors. However, these solutions come with technical and financial challenges, making them less appealing for providers.

The issue is growing as more startups fail, leaving behind domains that can be exploited. With 90% of tech startups statistically destined to fail, millions of employee accounts remain at risk. The report urges individuals to remove sensitive data from accounts when leaving a startup and avoid using work emails for personal registrations to minimize exposure.

—

What Undercode Say:

The vulnerability in Google’s OAuth system underscores a critical gap in digital identity management. While the convenience of single sign-on (SSO) systems like “Sign in with Google” has revolutionized user experience, it has also introduced significant security risks, especially when domains are not properly managed post-organizational closure.

The core issue lies in the reliance on email and domain claims for user identification. When a startup shuts down and its domain becomes available for purchase, the new owner can effectively impersonate former employees by recreating their email addresses. This exposes not only the individuals but also the SaaS platforms they used, which often store sensitive data.

Google’s response to the issue has been lackluster. While the company has acknowledged the problem and provided best practices for domain closure, it has yet to implement a technical fix. This delay is concerning, given the scale of the risk. With millions of defunct startup domains available and thousands of companies relying on Google Workspaces, the potential for exploitation is immense.

The researchers’ recommendation for immutable identifiers is a step in the right direction. By introducing unique user and workspace IDs that remain constant regardless of domain ownership changes, Google could significantly reduce the risk of impersonation. However, this solution requires collaboration with SaaS providers, many of whom may be reluctant to implement additional measures due to the associated costs and complexities.

Another layer of complexity is the human factor. Employees often use work emails for personal accounts, creating a web of dependencies that can be difficult to untangle when leaving a company. This practice exacerbates the risk, as attackers can gain access to both professional and personal accounts tied to the same email address.

The growing number of failed startups further amplifies the problem. With 90% of tech startups destined to fail, the pool of available domains—and the associated risks—will only increase. This trend highlights the need for proactive measures, both at the organizational and individual levels. Companies must ensure proper domain closure procedures, while employees should take steps to secure their data and avoid using work emails for personal purposes.

In conclusion, the vulnerability in Google’s OAuth system is a stark reminder of the importance of robust identity management in the digital age. While the convenience of SSO systems is undeniable, it must not come at the cost of security. Google, SaaS providers, and users all have a role to play in addressing this issue. Until a comprehensive solution is implemented, the risk of exploitation will continue to loom large, threatening the privacy and security of millions.