Exposed: Critical Google OAuth Bug Lets Hackers Hijack Abandoned Corporate Accounts

Exposed: Critical Google OAuth Bug Lets Hackers Hijack Abandoned Corporate Accounts

Security Flaw in Google OAuth Puts Former Startup Employees at Risk

A significant vulnerability in Google’s “Sign in with Google” OAuth system could allow malicious actors to access sensitive data by acquiring domains of defunct startups. The security flaw, discovered by Trufflesecurity researchers, enables attackers to recreate email accounts of former employees and access various SaaS platforms.

Key Findings:
– Over 116,481 defunct startup domains are currently available for purchase
– Affected services include Slack, Notion, Zoom, ChatGPT, and HR platforms
– Attackers can potentially access tax documents, insurance information, and social security numbers

Technical Details:
The vulnerability stems from inconsistencies in Google’s OAuth sub claim system, which should provide unique user identification. With a 0.04% inconsistency rate, many SaaS platforms rely solely on email and hosted domain claims for authentication, making them vulnerable to exploitation.

Impact and Scale:
– Affects millions of former startup employees
– 6 million Americans currently work in tech startups
– 90% of startups statistically fail
– 50% use Google Workspaces

Google’s Response:
Initially dismissing the issue as fraud-related, Google later awarded a $1,337 bounty to researchers. The company recommends proper domain closure procedures but has not yet fixed the vulnerability.

Proposed Solutions:
– Implementation of immutable identifiers
– Cross-referencing domain registration dates
– Enhanced admin-level approval systems
– Secondary identity verification factors

Preventive Measures:
Users should remove sensitive data when leaving startups and avoid using work accounts for personal registrations to minimize potential exposure.

Share This Article