Google OAuth Vulnerability Exposes Abandoned Accounts to Attackers

Researchers from Trufflesecurity have discovered a vulnerability in the Google OAuth “Sign in with Google” feature. This bug allows attackers who register domains of defunct startups to gain access to confidential data from the accounts of former employees on various SaaS platforms.

The researchers initially reported the issue to Google on September 30, 2024. At that time, Google classified the problem as “fraud and abuse,” disagreeing that it was an OAuth vulnerability. It was only after Dylan Ayrey, CEO and co-founder of Trufflesecurity, publicly discussed the issue at Shmoocon in December 2024 that Google awarded the researchers a $1,337 bounty and reopened the ticket.

Currently, the vulnerability remains unpatched and exploitable. According to Bleeping Computer, Google representatives stated that users simply need to follow security best practices and “properly decommission domains.”

“We appreciate Dylan Ayrey’s help in identifying the risks that arise when customers forget to remove third-party SaaS services as they wind down operations,” a Google spokesperson told reporters.

How the Vulnerability Works

In his report, Ayrey explains that “Google OAuth login does not protect against a scenario where someone buys the domain of a closed startup and uses it to recreate email accounts of former employees.” While creating new email accounts does not grant access to previous messages on communication platforms, these accounts can be used to log back into services like Slack, Notion, Zoom, ChatGPT, and others.

The researcher demonstrated this by purchasing an old domain and gaining access to SaaS platforms, where he found confidential HR data (tax documents, insurance information, and Social Security numbers) and was able to log into various services as other people (including ChatGPT, Slack, Notion, and Zoom).

By searching the Crunchbase database for defunct startups with abandoned domains, Ayrey found 116,481 domains suitable for such attacks. This means there could be millions of employee accounts from bankrupt startups whose domains are now available for purchase.

Technical Details and Risks

Ayrey explains that Google OAuth includes a sub claim designed to provide a unique and immutable ID for each user, allowing for identification regardless of domain or email address changes. However, the mismatch rate for the sub claim is only about 0.04%, which leads services like Slack and Notion to ignore it and rely solely on email and domain claims.

As a result, the email claim is tied to the user’s email address, and the domain claim is tied to ownership of a specific domain. Both can be inherited by new domain owners, who can then impersonate former employees on SaaS platforms.

Proposed Solutions

To address this issue, experts suggest that Google implement immutable identifiers, specifically a unique and permanent user ID and a unique workspace ID linked to a specific organization.

SaaS providers can also adopt additional security measures, such as cross-checking domain registration dates, requiring admin-level approval for account access, or using secondary factors to verify identities.