Support Services:service@dn.com
2025 Dn.com All Rights Reserved
Beware! Where will account security go under the Google OAuth vulnerability?
Industry Information
04 Feb 2025 12:54:15 PM
Abstract:
Recently, trufflesecurity published an article pointing out that there is a vulnerability in Google's OAuth, which allows others to purchase the domain names of defunct startups and use them to create email accounts for former employees.
Recently, trufflesecurity published an article pointing out that there is a vulnerability in Google's OAuth, and others can purchase the domain name of a defunct startup and use it to create email accounts for former employees. Although old email data cannot be obtained, these accounts can be used to log in to various SaaS products used by the organization.
The root cause of this vulnerability is that Google's OAuth login cannot effectively prevent changes in domain name ownership. When someone purchases the domain name of a defunct company, they can inherit the same claims and gain access to the accounts of former employees.
The article also lists some facts: There are currently 6 million Americans working in technology startups, and 90% of technology startups will eventually fail, and 50% of them rely on Google Workspaces for email services. By analyzing Crunchbase's startup data set, it was found that more than 100,000 domain names from failed startups can be purchased. If the average failed startup has 10 employees and uses 10 different SaaS services, then this could involve access to sensitive data from more than 10 million accounts.
OAuth typically includes claims such as "hd" (hosted domain) and "email", which service providers rely on to determine whether a user can log in. The problem is that if a service relies solely on these two claims, changes in domain ownership will make no difference to it.
Google has re-addressed the issue and issued a bounty, but the fix was still unclear when trufflesecurity posted the article. Downstream providers will have difficulty preventing this vulnerability before Google improves the OIDC claims, and users who log in using non-Google SSO are at risk of having their passwords reset hijacked. Startups can disable password login and enable SSO with 2FA, and service providers can add password reset verification. In short, Google OAuth has vulnerabilities that pose a potential threat to user data and account security.
Latest NewsRead more>
13 Mar 2025 03:03:35 PMIndustry Information
Rocket spends $1.75 billion to acquire Redfin, and a storm of real estate domain names is coming
Recently, Rocket successfully acquired the famous American real estate website Redfin for $1.75 billion. This move not only changed the industry landscape.
13 Mar 2025 03:03:28 PMIndustry Information
The big boss who once acquired chat.com for $15.5 million has made another move! He spent $150,000 to acquire os.ai
Yesterday, the famous domain name investor Dharmesh announced that he had successfully acquired os.ai for US$150,000. This move once again aroused widespread attention in the industry to high-quality domain name transactions.
13 Mar 2025 03:03:31 PMIndustry Information
GX.com sold for $1.2 million, setting a new record for the value of two-letter .com domain names
Recently, the two-letter domain name GX.com was successfully traded for a high price of US$1.2 million, further consolidating the scarcity and high value of two-letter .com domain names in the domain name market.
12 Mar 2025 02:37:04 PMIndustry Information
ICANN plans to phase out .su domain name in 2030
ICANN announced that it will stop using the Soviet-era .su country code top-level domain (ccTLD) in 2030. The domain has been in use since 1990 and currently has about 100,000 registered domain names.
ICANN Board Geographic Restrictions Take Effect, North American Candidates Denied Nomination
At ICANN 82, the ICANN Nominating Committee (NomCom) confirmed that applications from candidates in the North American region had been politely rejected due to geographic restrictions.
Industry Information 11 Mar 2025 04:15:21 PM
Double.com successfully sold for $980,000
Recently, Mark Ghoriafi once again facilitated an important domain name transaction - successfully selling Double.com for a high price of US$980,000.
Industry Information 11 Mar 2025 10:24:45 AM
The attempt to register the MIT.school domain name failed, and the "pseudo-protection" behavior was rejected
In the field of domain name investment and use, the UDRP case involving the MIT.school domain name is a typical example with great warning significance.
Industry Information 10 Mar 2025 03:22:33 PM
EYQ.AI sold for $50,000, AI domain name transaction premium 92%
Another iconic domain name transaction occurred in the field of artificial intelligence - EYQ.AI was sold for US$50,000, while its corresponding .COM domain name EYQ.com was listed for approximately US$26,000.
Industry Information 10 Mar 2025 11:27:12 AM
Listed company's blockbuster deal! DNS.com domain name changes hands at a high price of 14.4865 million yuan
Recently, the listed company Xiamen Mitong Technology Co., Ltd. announced that it plans to sell its top-level domain name DNS.com to Hong Kong Juwang Technology Co., Ltd. for RMB 14.4865 million (approximately US$2 million).
Industry Information 07 Mar 2025 03:13:16 PM
DN.com was invited to participate in the ICANN82 Global Conference
In March 2024, the core meeting of global Internet governance, ICANN82 (March 8-13), was officially held in Seattle, USA. As an active participant in the domain name industry, DN.com was invited to attend this meeting.
Domain Summit 07 Mar 2025 02:26:34 PM