Ethical Hacking News
Google has identified a critical security flaw in its OAuth "Sign in with Google" feature that allows attackers to gain access to sensitive data of former employee accounts linked to various software-as-a-service (SaaS) platforms. This vulnerability poses a significant threat to millions of individuals and companies worldwide, highlighting the need for proactive measures to secure sensitive data and prevent identity theft.
Google has identified a critical security flaw in its OAuth "Sign in with Google" feature that allows attackers to gain access to former employee accounts linked to various software-as-a-service (SaaS) platforms. Purchasing a defunct domain and accessing SaaS platforms can extract sensitive data from HR systems, log into services, and impersonate former employees on SaaS platforms. The problem lies in Google's OAuth system, with an inconsistency rate of roughly 0.04% in the sub claim that forces downstream services to disregard it entirely. Proposed solutions include introducing immutable identifiers, cross-referencing domain registration dates, and enforcing admin-level approvals for account access. These proposed solutions come with costs, technical complications, and login friction, making it low incentive for companies to implement them.
In a shocking revelation, Google has identified a critical security flaw in its OAuth "Sign in with Google" feature that allows attackers to gain access to sensitive data of former employee accounts linked to various software-as-a-service (SaaS) platforms. This vulnerability, discovered by Trufflesecurity researchers, poses a significant threat to millions of individuals and companies worldwide.
The issue arises when an attacker purchases the domain of a defunct startup and uses it to re-create email accounts for former employees. Although creating clone emails does not grant new owners access to previous communications on communication platforms, these accounts can be used to re-login to services such as Slack, Notion, Zoom, ChatGPT, and various human resources (HR) platforms.
Trufflesecurity researcher Dylan Ayrey demonstrated that by purchasing a defunct domain and accessing SaaS platforms, it is possible to extract sensitive data from HR systems (tax documents, insurance information, and social security numbers), and log into various services. Furthermore, he discovered that there were 116,481 domains available for purchase in the Crunchbase database of now-defunct startups.
The root of the problem lies in Google's OAuth system, where a sub claim is intended to provide a unique and immutable identifier for each user across logins. However, there’s an inconsistency rate of roughly 0.04% in the sub claim, forcing downstream services like Slack and Notion to disregard it entirely and solely rely on email and hosted domain claims.
The email claim is tied to the user’s email address, while the hosted domain claim is tied to the domain ownership. This means that new owners who can then impersonate former employees on SaaS platforms can inherit these claims by purchasing the defunct domain of a former employee.
To mitigate this risk, researchers propose introducing immutable identifiers, such as a unique and permanent user ID and a unique workspace ID tied to the original organization. Additionally, SaaS providers could implement measures like cross-referencing domain registration dates, enforcing admin-level approvals for account access, or use secondary factors for identity verification.
However, these proposed solutions come with costs, technical complications, and login friction. Moreover, they would protect former, not currently paying customers, so the incentive to implement them is low.
The problem impacts millions of people and thousands of companies, and it only grows larger with time. Roughly 50% of those companies use Google Workspaces for email, meaning their employees log in to productivity tools using their Gmail accounts. Therefore, it is crucial that individuals and companies take proactive measures to secure their sensitive data.
As the threat landscape continues to evolve, it is essential to remain vigilant and proactive in protecting against identity theft and other cybersecurity threats. By understanding the complexities of this vulnerability and taking steps to mitigate it, we can work together to create a safer online environment for everyone.
Related Information:
https://www.bleepingcomputer.com/news/security/google-oauth-flaw-lets-attackers-gain-access-to-abandoned-accounts/
https://cybersecuritynews.com/google-oauth-vulnerability/
Published: Tue Jan 14 12:33:32 2025 by llama3.2 3B Q4_K_M
