A flaw in Google OAuth system is exposing millions of users via abandoned accounts

• Buying domains from businesses that shut down could grant access to their SaaS accounts, research finds
• Google argues it's not a vulnerability, and that businesses should make sure they're not leaving sensitive information behind
• Researchers propose additional safeguards

Experts have found a vulnerability in Google’s OAuth “Sign in with Google” feature which could allow malicious actors to access sensitive data belonging to businesses that have shut down.

Google acknowledged the flaw, but is not doing much to address it, rather saying that it is up to the businesses to ensure the security of the data they are leaving behind.

The vulnerability was first discovered by security researchers from Trufflesecurity, who reported it to Google in late September 2024. However, it was only after the company’s CEO and co-founder, Dylan Ayrey, presented the issue at Shmoocon in December 2024 that Google reacted.

Google suggests mitigations

Here is how it works, in theory:

A business signs up for an HR service using its business email account and the “Sign in with Google” feature. It uses the HR service for things like employee contracts, payouts, and more. Some time later, the business shuts down, and terminates the domain. After that, a malicious actor registers the same domain, and recreates the same email address used to log into the HR service.

They then proceed to log into the account on the HR platform, where they can access all the information and files left behind.

Google awarded Trufflesecurity a small bounty, but decided not to pursue a fix: "We appreciate Dylan Ayrey’s help identifying the risks stemming from customers forgetting to delete third-party SaaS services as part of turning down their operation," a Google representative told BleepingComputer.

“As a best practice, we recommend customers properly close out domains following these instructions to make this type of issue impossible. Additionally, we encourage third-party apps to follow best-practices by using the unique account identifiers (sub) to mitigate this risk.”

In other words, it’s up to the businesses to make sure they’re not leaving residual data behind.

Ayrey notes a quick look through Crunchbase returns more than 100,000 domains that can be abused this way. He suggested Google introduce immutable identifiers, while SaaS providers add cross-referencing domain registration dates.

Via BleepingComputer

You might also like

• Chinese hackers are switching to new malware for government attacks
• Here's a list of the best antivirus tools on offer
• These are the best endpoint protection tools right now