Support Services:service@dn.com
2025 Dn.com All Rights Reserved
Beware! Where will account security go under the Google OAuth vulnerability?
Industry Information
04 Feb 2025 12:54:15 PM
Abstract:
Recently, trufflesecurity published an article pointing out that there is a vulnerability in Google's OAuth, which allows others to purchase the domain names of defunct startups and use them to create email accounts for former employees.
Recently, trufflesecurity published an article pointing out that there is a vulnerability in Google's OAuth, and others can purchase the domain name of a defunct startup and use it to create email accounts for former employees. Although old email data cannot be obtained, these accounts can be used to log in to various SaaS products used by the organization.
The root cause of this vulnerability is that Google's OAuth login cannot effectively prevent changes in domain name ownership. When someone purchases the domain name of a defunct company, they can inherit the same claims and gain access to the accounts of former employees.
The article also lists some facts: There are currently 6 million Americans working in technology startups, and 90% of technology startups will eventually fail, and 50% of them rely on Google Workspaces for email services. By analyzing Crunchbase's startup data set, it was found that more than 100,000 domain names from failed startups can be purchased. If the average failed startup has 10 employees and uses 10 different SaaS services, then this could involve access to sensitive data from more than 10 million accounts.
OAuth typically includes claims such as "hd" (hosted domain) and "email", which service providers rely on to determine whether a user can log in. The problem is that if a service relies solely on these two claims, changes in domain ownership will make no difference to it.
Google has re-addressed the issue and issued a bounty, but the fix was still unclear when trufflesecurity posted the article. Downstream providers will have difficulty preventing this vulnerability before Google improves the OIDC claims, and users who log in using non-Google SSO are at risk of having their passwords reset hijacked. Startups can disable password login and enable SSO with 2FA, and service providers can add password reset verification. In short, Google OAuth has vulnerabilities that pose a potential threat to user data and account security.
Latest NewsRead more>
19 May 2025 04:16:20 PMIndustry Information
Gate launches new domain Gate.com, opening a new chapter in brand strategy upgrade
On May 19th, international cryptocurrency exchange Gate announced a major brand upgrade, centered on the adoption of the global top-level domain Gate.com.
17 May 2025 04:23:00 PMIndustry Information
Hexonet is about to shut down, and user domain names will be transferred to Moniker
Registrar Hexonet announced that it will close its business by the end of June, and customer accounts and domain names will be migrated to the Moniker platform. The migration has now entered the substantive stage.
17 May 2025 10:52:34 AMIndustry Information
MyVehicle.com sold for $105,000, and the transaction was completed by renting first and buying later
The domain name MyVehicle.com was recently sold for $105,000. Hiren M. Patel shared the story behind the deal.
16 May 2025 02:14:34 PMIndustry Information
Zaddy.com Arbitration Decision: HugeDomains Wins
In May 2025, WIPO ruled that the US domain name investment company HugeDomains won the Zaddy.com dispute case, and determined that the complainant Zaddy, LLC had engaged in "reverse domain name hijacking."
In the past two weeks, .AI domain names have led the transaction list, and short letters and brand words continue to be popular
In the latest DNJournal report, Rush.ai led the sales list with a price of $300,000, confirming the continued strong performance of .AI domains. Short .com domains such as UIG.com also achieved significant prices.
Industry Information 16 May 2025 01:52:54 PM
RemotePay.com sold for $110,000
According to Domain’s post on the X platform, RemotePay.com was sold for $110,000. The domain was purchased in 2022 for “just over four figures.”
Industry Information 15 May 2025 10:57:46 AM
The seller tried to raise the price tenfold, and Pay.com.au won back PayRewards.com after the lawsuit
A domain name dispute caused by the seller temporarily raising the price tenfold ended with the buyer winning the case. After legal intervention, the ownership of PayRewards.com belonged to the Australian company Pay.com.au.
Industry Information 15 May 2025 10:07:53 AM
Seed.ai sold for $225,000
On May 13, 2025, domain investor Andrew Miller announced on X that he sold the domain Seed.ai for $225,000. This is currently the second highest .ai domain transaction record in 2025.
Industry Information 14 May 2025 10:21:12 AM
Fake company attempts to seize rare two-letter domain name KS.com, ruled as reverse domain name hijacking
Recently, WIPO made a ruling on the two-letter domain name KS.com, determining that the domain name dispute request filed by the complainant in this case lacked factual basis and ruled that it was a reverse domain name hijacking.
Industry Information 14 May 2025 09:53:35 AM
Recent Domain Name Transaction Brief: icon.com reached a $12 million transaction, and the .ai suffix reached a new high this year
According to NameBio's public data, there have been many high-priced transactions in the domain name trading market in the past few weeks, among which icon.com changed hands for US$12 million, the highest price disclosed so far this year.
Industry Information 13 May 2025 02:00:34 PM