Beware! Where will account security go under the Google OAuth vulnerability?

04 Feb 2025 12:54:15 PM

By：DN domain name editor

Recently, trufflesecurity published an article pointing out that there is a vulnerability in Google's OAuth, which allows others to purchase the domain names of defunct startups and use them to create email accounts for former employees.

Recently, trufflesecurity published an article pointing out that there is a vulnerability in Google's OAuth, and others can purchase the domain name of a defunct startup and use it to create email accounts for former employees. Although old email data cannot be obtained, these accounts can be used to log in to various SaaS products used by the organization.

The root cause of this vulnerability is that Google's OAuth login cannot effectively prevent changes in domain name ownership. When someone purchases the domain name of a defunct company, they can inherit the same claims and gain access to the accounts of former employees.

Beware! Where will account security go under the Google OAuth vulnerability?

The article also lists some facts: There are currently 6 million Americans working in technology startups, and 90% of technology startups will eventually fail, and 50% of them rely on Google Workspaces for email services. By analyzing Crunchbase's startup data set, it was found that more than 100,000 domain names from failed startups can be purchased. If the average failed startup has 10 employees and uses 10 different SaaS services, then this could involve access to sensitive data from more than 10 million accounts.

Beware! Where will account security go under the Google OAuth vulnerability?

OAuth typically includes claims such as "hd" (hosted domain) and "email", which service providers rely on to determine whether a user can log in. The problem is that if a service relies solely on these two claims, changes in domain ownership will make no difference to it.

Google has re-addressed the issue and issued a bounty, but the fix was still unclear when trufflesecurity posted the article. Downstream providers will have difficulty preventing this vulnerability before Google improves the OIDC claims, and users who log in using non-Google SSO are at risk of having their passwords reset hijacked. Startups can disable password login and enable SSO with 2FA, and service providers can add password reset verification. In short, Google OAuth has vulnerabilities that pose a potential threat to user data and account security.