New research has revealed a vulnerability in Google’s “Sign in with Google” authentication system that can be exploited through a quirk in domain ownership. Truffle Security discovered that if an attacker buys a defunct startup’s domain, they could potentially access old employee accounts linked to various applications like Slack, Zoom, and HR systems. While the flaw does not provide direct access to old email data, it enables unauthorized login to a range of SaaS platforms, putting millions of American users’ data at risk.
The vulnerability stems from how Google’s OAuth system uses domain ownership and user email addresses to authenticate users. When an account is closed, its associated domain might be sold or re-registered, allowing an attacker to create new email accounts linked to the same domain. This gives the attacker the ability to access accounts on third-party services, which may store sensitive information like tax documents, social security numbers, and candidate feedback from interview platforms. According to Truffle Security, HR systems, in particular, contained highly sensitive information.
Google initially dismissed the issue, claiming it was intended behavior:
Although Google initially dismissed the issue, claiming it was intended behavior, the company has since re-opened the bug report after being informed of its potential impact. As of December 2024, Google awarded the researcher a bounty for the discovery and acknowledged that the vulnerability could cause significant harm. Google has also suggested that users follow security best practices, including deleting user data when an account is closed, to reduce the risk of such breaches. They recommended that downstream software providers implement additional safeguards by using unique account identifiers to prevent unauthorized access.
The vulnerability highlights the challenges companies face when managing user data, especially when it involves third-party applications and services. As Truffle Security co-founder Dylan Ayrey points out, once an individual is off-boarded from a startup, they lose control over the security of their accounts. The absence of immutable user identifiers in many systems, like Google’s OAuth, makes it easier for domain ownership changes to compromise user accounts. This issue underscores the need for stronger, more secure authentication practices in the digital age.
