Support Services:service@dn.com
2025 Dn.com All Rights Reserved
Beware! Where will account security go under the Google OAuth vulnerability?
Industry Information
04 Feb 2025 12:54:15 PM
Abstract:
Recently, trufflesecurity published an article pointing out that there is a vulnerability in Google's OAuth, which allows others to purchase the domain names of defunct startups and use them to create email accounts for former employees.
Recently, trufflesecurity published an article pointing out that there is a vulnerability in Google's OAuth, and others can purchase the domain name of a defunct startup and use it to create email accounts for former employees. Although old email data cannot be obtained, these accounts can be used to log in to various SaaS products used by the organization.
The root cause of this vulnerability is that Google's OAuth login cannot effectively prevent changes in domain name ownership. When someone purchases the domain name of a defunct company, they can inherit the same claims and gain access to the accounts of former employees.
The article also lists some facts: There are currently 6 million Americans working in technology startups, and 90% of technology startups will eventually fail, and 50% of them rely on Google Workspaces for email services. By analyzing Crunchbase's startup data set, it was found that more than 100,000 domain names from failed startups can be purchased. If the average failed startup has 10 employees and uses 10 different SaaS services, then this could involve access to sensitive data from more than 10 million accounts.
OAuth typically includes claims such as "hd" (hosted domain) and "email", which service providers rely on to determine whether a user can log in. The problem is that if a service relies solely on these two claims, changes in domain ownership will make no difference to it.
Google has re-addressed the issue and issued a bounty, but the fix was still unclear when trufflesecurity posted the article. Downstream providers will have difficulty preventing this vulnerability before Google improves the OIDC claims, and users who log in using non-Google SSO are at risk of having their passwords reset hijacked. Startups can disable password login and enable SSO with 2FA, and service providers can add password reset verification. In short, Google OAuth has vulnerabilities that pose a potential threat to user data and account security.
Latest NewsRead more>
19 Apr 2025 10:56:39 AMIndustry Information
Chinese Registrant Cited AI Tool DeepSeek in UDRP Defense, Lost LIBBS.com
The recent UDRP case involving the LIBBS.com domain name attracted attention not only because of the outcome, but also because of the registrant’s unusual defense: citing DeepSeek as evidence of non-infringement.
19 Apr 2025 10:24:55 AMIndustry Information
Virtuoso.ai Sells for $70,000 Amid Ongoing Demand for .AI Domains
The Virtuoso.ai domain recently sold for $70,000, joining the list of high-value .ai domain sales in 2025. This highlights investors’ continued confidence in premium .ai domains associated with strong brand keywords.
18 Apr 2025 04:08:47 PMIndustry Information
SU domain name temporarily "escaped"
Recently, the controversy surrounding the existence of .su has come to a temporary end: .su will not be forced to retire just because the Soviet Union no longer exists.
18 Apr 2025 01:38:44 PMIndustry Information
Official announcement + acquisition of domain name on the same day, OKX knocks on the door of the United States with "OKX.us"
On April 16, cryptocurrency trading platform OKX announced its official entry into the U.S. market. On the same day, OKX also completed the acquisition of the U.S. country domain name OKX.us.
.AM domain name is officially on the blockchain, and Armenia joins the Web3 domain name camp
Following Samoa’s .WS, Armenia’s national domain name .AM also completed on-chain mirroring, becoming the world’s second ccTLD to achieve Web2-Web3 integration.
Industry Information 18 Apr 2025 04:46:09 PM
OpenAI plans to acquire Windsurf for $3 billion, and domain name becomes a key bargaining chip
OpenAI is at it again. According to Bloomberg, the AI giant is in talks to acquire AI programming startup Windsurf for about $3 billion. Less than a year ago, the company was valued at $1.25 billion.
Industry Information 17 Apr 2025 02:15:21 PM
Google will gradually stop using country code domain names and redirect them to Google.com
Google recently announced that it will gradually stop using local Google websites in the form of country code top-level domains (ccTLDs) around the world and redirect them to google.com. This change will take effect in the next few months.
Industry Information 16 Apr 2025 10:56:08 AM
Weaverobotics.com sold for 100,000 euros, and its high-quality meaning boosted its high price
Recently, the domain name Weaverobotics.com was sold at a high price of 100,000 euros (about 113,292 US dollars), attracting widespread attention in the domain name circle.
Industry Information 16 Apr 2025 10:37:49 AM
Web3 Domain Names: New Investment Opportunities Brought by Blockchain Technology
Unlike traditional domain names that are managed by centralized organizations, Web3 domain names use decentralized blockchain technology, making them more secure and difficult to tamper with.
Industry Information 15 Apr 2025 03:57:02 PM
AI startup uses Pickle.com to upgrade its brand domain
Recently, Pickle, a startup company focusing on artificial intelligence video generation technology, announced the completion of its brand upgrade and officially launched the domain name Pickle.com.
Industry Information 15 Apr 2025 10:58:31 AM