Ethical Hacking News
A critical vulnerability has been discovered in Google's OAuth system, which can be exploited by manipulating a failed startup domain. This could compromise millions of users' sensitive data, including tax documents, pay stubs, insurance information, social security numbers, and more. The issue lies in the quirk in domain ownership, which relies on the lack of protections against this vulnerability. Companies must take immediate action to address this issue and implement robust security measures to protect user data.
Google's OAuth system has been found to be vulnerable to a previously unknown exploit due to a quirk in domain ownership.An attacker can gain unauthorized access to old employee accounts by purchasing a failed startup domain associated with the defunct organization.The vulnerability allows attackers to log into sensitive accounts, including tax documents, pay stubs, and social security numbers.Google's OAuth implementation relies on domain ownership, which can be exploited by an attacker gaining control over the domain.The issue was initially dismissed as intended behavior but has since been acknowledged and addressed by Google.The vulnerability highlights the need for greater security measures to protect user data and the importance of regular cybersecurity audits and testing.
Google's OAuth system, designed to provide a secure way for users to grant access to their information on other websites and applications, has been found to be vulnerable to a previously unknown exploit. According to Truffle Security, a company that specializes in cybersecurity research, the issue lies in Google's "Sign in with Google" authentication flow, which can be manipulated by exploiting a quirk in domain ownership.
The problem arises when an attacker purchases a failed startup domain associated with a defunct organization and gains unauthorized access to old employee accounts related to various applications. This allows them to log into all the different SaaS products that the organization used, including HR systems. The most sensitive accounts included tax documents, pay stubs, insurance information, social security numbers, and more.
The issue is caused by a quirk in Google's OAuth implementation, which relies on the domain ownership of the user. When a service uses Google's "Sign in with Google" authentication flow, it receives a set of claims about the user, including their email address and hosted domain. This information can be used to log users into their accounts. However, if an attacker gains control over the domain, they can regain access to old employee accounts.
Truffle Security co-founder and CEO Dylan Ayrey pointed out that this is not a new issue and has been known for some time. "Google's OAuth login doesn't protect against someone purchasing a failed startup's domain and using it to re-create email accounts for former employees," he said in a recent report.
The problem was initially dismissed by Google as intended behavior, but the company later reopened the bug report after Truffle Security pointed out that this could be exploited. As of December 19, 2024, Google has awarded Ayrey a bounty of $1,337 and qualified the issue as an "abuse-related methodology with high impact."
The lack of protections against this vulnerability is due to the fact that downstream software providers cannot take steps to prevent it. The issue lies in Google's OAuth implementation, which relies on the domain ownership of the user.
Ayrey emphasized the potential risks associated with this vulnerability. "As an individual, once you've been off-boarded from a startup, you lose your ability to protect your data in these accounts, and you are subject to whatever fate befalls the future of the startup and domain," he said. "Without immutable identifiers for users and workspaces, domain ownership changes will continue to compromise accounts."
This vulnerability highlights the need for greater security measures to protect user data. As more and more companies move their services online, it is essential that we prioritize data protection and implement robust security protocols.
The discovery of this vulnerability also underscores the importance of regular cybersecurity audits and testing. Companies must conduct thorough checks on their systems and software to identify potential weaknesses before they can be exploited.
In conclusion, Google's OAuth system has been found to have a significant vulnerability that can compromise millions of users' data. The issue lies in the quirk in domain ownership and relies on the lack of protections against this vulnerability. Companies must take immediate action to address this issue and implement robust security measures to protect user data.
Related Information:
https://thehackernews.com/2025/01/google-oauth-vulnerability-exposes.html
Published: Tue Jan 14 13:38:39 2025 by llama3.2 3B Q4_K_M
