Sign in with Google’s security flaw disclosure.
Google is always in the news and, unfortunately, not always for positive reasons when it comes to security issues. It’s great that new security rules are coming down soon to help protect users, and there’s plenty of help for Gmail users who find their accounts have been hacked. However, with users already on high alert as two-factor authentication bypass attacks continue, the last thing Google needs is more bad news about secure account login. Bad news, however, has come with the release of research demonstrating how Google’s OAuth authentication can be exploited by attackers to gain access to sensitive data from potentially millions of accounts. Here’s what you need to know.
Google sign-in vulnerability explained
A January 13 report has revealed how security researchers discovered a rather shocking vulnerability affecting Google’s “Sign in with Google” authentication flow. “I demonstrated this flaw by accessing accounts I didn’t own,” said Dylan Ayrey, CEO and co-founder of Trufflesecurity, “and Google responded that this behavior was working as intended.” Ayrey warned anyone who has ever worked for a startup in the past, especially one that has now ceased trading, that they could be vulnerable to this hacking method.
Ayrey explained that the problem is based on the fact that Google’s OAuth login “doesn’t protect against someone buying a failed startup’s domain and using it to recreate email accounts for former employees,” which leaves the door wide open to open to an attacker using those accounts to access any software as a service product that the organization was using. What kind of services, you might ask? Well, security research showed how just one of these defunct domains opened security doors to access former employee accounts that included ChatGPT, Notion, Slack and Zoom. “The most sensitive accounts included human resources systems,” Ayrey said, “which contained tax documents, payslips, insurance information, social security numbers and more.”
The vulnerability appears to revolve around “claims” that are sent by Google when a user hits the sign in with Google button to access a service. These claims include the likes of specifying the host domain and the user’s email address. The service provider usually uses both of these to determine whether access should be granted. However, Ayrey found that if a service relied on these alone, any change of domain ownership would not be seen differently. “When someone buys a defunct company’s domain,” Ayrey said, “they inherit the same claims, giving them access to old employee accounts.”
Google’s response to the risk of OAuth hacking
Ayrey said the problem was first reported to Google on September 30, 2024, and marked as “not going to be fixed” on October 2, 2024. After demonstrating the exploit at a major security conference, Shmoocon, in December, Google reopened the ticket and gave researchers a small reward of $1337. The amount is interesting in itself, as 1337 is hacker slang for the elite. Ayrey said Google is now working on a fix, though it will include the approach mentioned in the Trufflesecurity report of implementing two new immutable identifiers of a unique user ID that doesn’t change over time and a unique user ID. domain-related workspace remains to be seen.
I’ve reached out to Google for a statement.
