A critical flaw in Google’s “Sign in with Google” authentication system has been identified, putting millions of American individuals at risk of potential data theft. This particular vulnerability is most detrimental to former employees of startups, particularly those that have ceased operations. Truffle Security has pinpointed the root cause of this issue to the way Google’s OAuth login system interacts with domain ownership changes.
When a startup goes out of business and its domain name becomes available for purchase, the new domain owner has the potential to recreate email accounts for former employees. Although these recreated accounts cannot access old email data, they can still be utilized to log into various SaaS (Software as a Service) products that were previously used by the organization. This opens up a Pandora’s box of security risks and vulnerabilities.
To illustrate the severity of this flaw, a security researcher conducted an experiment where they purchased a defunct startup’s domain and were able to successfully gain access to multiple services, including ChatGPT, Slack, Notion, Zoom, and even HR systems containing sensitive information such as social security numbers. The breaches in HR systems are particularly alarming, as they house essential data like tax documents, pay stubs, insurance details, and other confidential information. Additionally, interview platforms contained data about candidate feedback and hiring decisions, while chat platforms exposed private messages and sensitive communications.
The scope of this vulnerability is extensive, considering that about 6 million Americans are currently employed by tech startups, with a high failure rate of 90%. Moreover, half of these startups rely on Google Workspaces for email services, making them particularly susceptible to this security flaw. Crunchbase’s startup dataset analysis revealed over 100,000 domains from failed startups that are currently available for purchase, potentially exposing sensitive data from more than 10 million accounts.
The crux of the issue lies in how service providers like Slack authenticate users, relying on Google’s OAuth claims like the HD (hosted domain) claim and the email claim. When domain ownership changes, these claims remain unchanged, granting new domain owners access to old employee accounts. A proposed solution to Google involves implementing two immutable identifiers within its OpenID Connect (OIDC) claims – a unique user ID that stays constant over time and a unique workspace ID tied to the domain.
Despite the security researcher’s efforts to report this vulnerability to Google, the initial response was to label it as “Won’t fix.” Only after widespread attention did Google revisit the matter. Until a comprehensive fix is implemented, downstream providers like Slack cannot fully protect against this issue. The lack of control former startup employees have over their data protection once they leave the company underscores the significance of robust authentication systems and the potential risks of relying on third-party login services.
This security flaw serves as a wakeup call for the tech industry to prioritize addressing vulnerabilities promptly to safeguard users’ sensitive information and maintain trust in their services. As the landscape of technology continues to evolve, it is imperative for companies like Google to take immediate action to address these security gaps thoroughly.