Google OAuth “Sign in with Google” Vulnerability Exposes Millions of Accounts to Data Theft
A critical vulnerability in Google’s “Sign in with Google” authentication flow is putting millions of Americans at risk of data theft, particularly those who have worked for failed startups. The issue lies in how Google’s OAuth login system interacts with domain ownership, allowing bad actors to exploit defunct domains and gain unauthorized access to sensitive […] The post Google OAuth “Sign in with Google” Vulnerability Exposes Millions of Accounts to Data Theft appeared first on Cyber Security News.
A critical vulnerability in Google’s “Sign in with Google” authentication flow is putting millions of Americans at risk of data theft, particularly those who have worked for failed startups.
The issue lies in how Google’s OAuth login system interacts with domain ownership, allowing bad actors to exploit defunct domains and gain unauthorized access to sensitive accounts.
Despite being alerted to the flaw, Google initially dismissed the issue as “working as intended,” though it has since reopened the case and promised a fix.
The Vulnerability: Domain Ownership Meets OAuth
The flaw stems from Google’s OAuth implementation, which allows users to log into third-party services using their Google credentials.
When users click “Sign in with Google,” Google sends the service a set of claims, including the user’s email address and a domain-specific identifier (the hd claim). These claims are used by services like Slack, Notion, and Zoom to grant access.
However, if a startup shuts down and its domain becomes available for purchase, attackers can buy the domain, recreate email accounts for former employees, and use those accounts to log into various SaaS platforms.
“If a service (e.g., Slack) relies solely on these two claims, ownership changes to the domain won’t look any different to Slack. When someone buys the domain of a defunct company, they inherit the same claims, granting them access to old employee accounts.”
While attackers cannot access old emails, they can exploit the recreated accounts to access sensitive information stored in services like HR systems, chat platforms, and interview tools.
A security researcher demonstrated this by purchasing a defunct startup domain and gaining access to accounts on multiple platforms.
The most sensitive data included Social Security numbers, tax documents, pay stubs, insurance information, and private messages.
The potential impact is staggering.
- 6 million Americans currently work for tech startups.
- 90% of tech startups eventually fail.
- 50% of these startups rely on Google Workspace for email.
Using Crunchbase data, the researcher identified over 100,000 defunct domains available for purchase. Assuming each failed startup had 10 employees who used 10 different SaaS services during their tenure, this vulnerability could expose more than 10 million accounts.
Google’s OAuth system includes a unique user identifier (sub claim) that could theoretically prevent this issue.
However, the sub claim is inconsistent across logins—changing in about 0.04% of cases—making it unreliable for downstream providers to verify user identity.
As a result, many platforms rely solely on email and domain claims for authentication. When domain ownership changes hands, these claims remain valid, effectively granting attackers access.
Proposed Fixes and Google’s Response
The researcher proposed that Google add two immutable identifiers to its OpenID Connect (OIDC) claims:
- A unique user ID that remains consistent over time.
- A unique workspace ID tied to the domain.
Initially, Google dismissed the report as a “fraud and abuse” issue rather than an OAuth vulnerability. However, after the researcher’s talk at ShmooCon was accepted in December 2024, Google reopened the case and awarded a $1,337 bounty. While Google has promised a fix, it has not disclosed specific details or timelines.
For now, downstream providers like Slack or Notion have limited options to mitigate this vulnerability without changes from Google. As an individual user:
- Be cautious about using “Sign in with Google” for critical services.
- Advocate for startups to disable password-based authentication and enforce single sign-on (SSO) with two-factor authentication (2FA).
Service providers can also implement additional verification steps—such as SMS codes or credit card checks—for password resets to reduce risks associated with compromised domains.
This vulnerability highlights a fundamental flaw in Google’s OAuth implementation: the lack of immutable identifiers for users and workspaces.
Until Google implements a fix, millions of accounts tied to defunct startups remain at risk of unauthorized access and data theft.
While Google’s re-engagement with the issue is promising, time is crucial as attackers could exploit this gap on a massive scale.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
The post Google OAuth “Sign in with Google” Vulnerability Exposes Millions of Accounts to Data Theft appeared first on Cyber Security News.
