Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Google OAuth Vulnerability Exposes Millions via Failed Startup Domains

The Hacker News by The Hacker News
January 16, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Jan 14, 2025Ravie LakshmananVulnerability / Data Privacy

New research has pulled back the curtain on a “deficiency” in Google’s “Sign in with Google” authentication flow that exploits a quirk in domain ownership to gain access to sensitive data.

“Google’s OAuth login doesn’t protect against someone purchasing a failed startup’s domain and using it to re-create email accounts for former employees,” Truffle Security co-founder and CEO Dylan Ayrey said in a Monday report.

“And while you can’t access old email data, you can use those accounts to log into all the different SaaS products that the organization used.”

Cybersecurity

The San Francisco-based company said the issue has the potential to put millions of American users’ data at risk simply by purchasing a defunct domain associated with a failed startup and gaining unauthorized access to old employee accounts related to various applications like OpenAI ChatGPT, Slack, Notion, Zoom, and even HR systems.

“The most sensitive accounts included HR systems, which contained tax documents, pay stubs, insurance information, social security numbers, and more,” Ayrey said. “Interview platforms also contained sensitive information about candidate feedback, offers, and rejections.”

OAuth, short for open authorization, refers to an open standard for access delegation, allowing users to grant websites or applications access to their information on other websites without having to give their passwords. This is accomplished by making use of an access token to verify the user’s identity and allow the service to access the resource the token is intended for.

Google OAuth Vulnerability

When “Sign in with Google” is used to sign in to an application such as Slack, Google sends the service a set of claims about the user, including their email address and the hosted domain, which could then be utilized to log users into their accounts.

This also means that if a service is solely relying on these pieces of information to authenticate users, it also opens the door to a scenario where domain ownership changes could allow an attacker to regain access to old employee accounts.

Truffle also pointed out Google’s OAuth ID token includes a unique user identifier – the sub claim – that could theoretically prevent the problem, but that has been found to be unreliable. It’s worth noting that Microsoft’s Entra ID tokens include the sub or oid claims to store an immutable value per user.

Cybersecurity

While Google initially responded to the vulnerability disclosure by stating that it is intended behavior, it has since re-opened the bug report as of December 19, 2024, awarding Ayrey a bounty of $1,337. It has also qualified the issue as an “abuse-related methodology with high impact.”

In a statement shared with The Hacker News, a Google spokesperson said the company recommends customers to follow security best practices and wipe out all user data when an account is closed to ensure that the data is not accessible. Downstream software providers can also protect against the vulnerability in Google’s OAuth implementation by using the sub field within their application as the unique-identifier key for the user.

“We appreciate Dylan Ayrey’s help identifying the risks stemming from customers forgetting to delete third-party SaaS services as part of turning down their operation,” the tech giant said. “As a best practice, we recommend customers properly close out domains following these instructions to make this type of issue impossible. Additionally, we encourage third-party apps to follow best-practices by using the unique account identifiers (sub) to mitigate this risk.”

“As an individual, once you’ve been off-boarded from a startup, you lose your ability to protect your data in these accounts, and you are subject to whatever fate befalls the future of the startup and domain,” Ayrey said. “Without immutable identifiers for users and workspaces, domain ownership changes will continue to compromise accounts.”

(The story was updated after publication to include a response from Google.)

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Microsoft Uncovers macOS Vulnerability CVE-2024-44243 Allowing Rootkit Installation

Microsoft Uncovers macOS Vulnerability CVE-2024-44243 Allowing Rootkit Installation

Recommended.

Ace Hardware releases AI assistant for store staff

Ace Hardware releases AI assistant for store staff

May 8, 2026
Global Soccer Development and Cadiz CF announce inaugural International Youth Tournament – The Cadiz Global Cup

Global Soccer Development and Cadiz CF announce inaugural International Youth Tournament – The Cadiz Global Cup

February 18, 2025

Trending.

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

May 19, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio