Source: www.securityweek.com – Author: Ionut Arghire
A vulnerability in Google’s OAuth implementation can be abused to take over the accounts of former employees of failed startups by purchasing their domains, according to a report from secrets scanning firm Truffle Security.
The issue is relatively straightforward: when purchasing a failed startup’s domain, anyone can re-create old employee e-mail accounts and use them to access the different SaaS products the startup used.
While re-creating an old employee e-mail account does not provide access to the data stored by Google, it could grant access to data stored on services such as Slack, Zoom, ChatGPT, and others, on HR systems and interview platforms, and to direct messages on chat platforms.
Purchasing such a domain and accessing these services could expose sensitive personal information, internal information, and other sensitive data, Truffle Security co-founder and CEO Dylan Ayrey warned.
Ayrey documented the discovery of more than 100,000 domains belonging to failed startups currently on sale, and suggests that approximately 10 million accounts potentially containing sensitive data may be at risk.
The underlying problem is that, when using ‘Sign in with Google’ to log in to a service, a set of claims about the user, including the hosted domain and user’s email address, is sent, so that the service provider can determine if the user should log in.
“Here’s the issue: if a service (e.g., Slack) relies solely on these two claims, ownership changes to the domain won’t look any different to Slack. When someone buys the domain of a defunct company, they inherit the same claims, granting them access to old employee accounts,” Ayrey explained.
Responding to a SecurityWeek inquiry, a Google spokesperson pointed out that any data leaks that may occur in this situation are the result of data not being erased by the startups when shutting down operations.
Advertisement. Scroll to continue reading.
“We appreciate Dylan Ayrey’s help identifying the risks stemming from customers forgetting to delete third-party SaaS services as part of turning down their operation,” Google’s representative said.
“As a best practice, we recommend customers properly close out domains following these instructions to make this type of issue impossible. Additionally, we encourage third-party apps to follow best-practices by using the unique account identifiers (sub) to mitigate this risk,” the spokesperson added.
To protect against these risks, downstream providers have levers in place, such as a unique account identifier (sub) filed within their applications, and unique-identifier keys per user, so that specific data is not accessible to other entities.
According to Ayrey, however, the ‘sub’ claim is inconsistent and unreliable, and cannot be used to uniquely identify users, meaning that services mainly rely on the ‘email’ and ‘hosted domain’ claims to identify users.
Ayrey proposes the implementation of two immutable identifiers within Google’s OpenID Connect (OIDC) claims, namely a unique user ID and a unique workspace ID tied to the domain, saying that downstream providers cannot protect user data without them.
The researcher reported the issue to Google in late September 2024 and was initially informed that this was intended behavior. In December, however, the internet giant re-opened the ticket and paid a $1,337 bug bounty reward, saying that a fix was in the works, Ayrey notes.
In a follow-up email, Google pointed out to SecurityWeek that no fix was necessary for the reported issue, as the ‘sub’ claim is a strong and appropriate protection.
“The ‘sub field’ is the immutable identifier that the researcher is calling for – we strongly urge developers to use it to provide extra protection,” a Google representative said.
The spokesperson also noted that the internet giant has no evidence to support the claim that “the sub field is not an immutable and unique identifier.”
The company also updated its documentation on OAuth, which explicitly reads: “when implementing your account management system, you shouldn’t use the email field in the ID token as a unique identifier for a user. Always use the sub field as it is unique to a Google Account even if the user changes their email address.”
*Updated with additional clarification from Google.
Related: PayPal Phishing Campaign Using Genuine Links to Hijack Accounts
Related: AWS Patches Vulnerabilities Potentially Allowing Account Takeovers
Related: State AGs Demand Meta Take ‘Immediate Action’ on User Account Takeovers
Related: VirusTotal Provides Clarifications on Data Leak Affecting Premium Accounts
Original Post URL: https://www.securityweek.com/google-oauth-flaw-leads-to-account-takeover-when-domain-ownership-changes/
Category & Tags: Email Security,Vulnerabilities,email takeover,google,OAuth,Truffle Security – Email Security,Vulnerabilities,email takeover,google,OAuth,Truffle Security
Views: 2