The vulnerability in the authentication system “Sign in with Google” has put millions of Americans at risk of data theft. Truffle Security reports that the issue primarily impacts former startup employees, especially those whose businesses have already shut down.
According to Truffle Security, the vulnerability stems from how Google Oauth handles changes in domain ownership. When a startup closes, its domain becomes available for purchase. The new owner can then recreate mailboxes of former employees, granting access to various services although not providing access to old data.
A security researcher demonstrated the severity of the problem by purchasing a closed startup domain. By doing so, they were able to access services like ChatGPT, Slack, Notion, Zoom, and HR systems containing sensitive information like social security numbers and tax documents.
The scope of the issue is significant, as approximately 6 million people in the US work for startups, with 90% of them being closed and half using Google Workspaces. Crunchbase data analysis revealed that over 100,000 domains of closed startups are available for purchase, posing a risk of data leakage for more than 10 million accounts.
The vulnerability is linked to how providers like Slack authenticate users, utilizing two Google Oauth parameters: HD (domain) and email. Even when the domain owner changes, these parameters remain static, allowing new owners access.
A potential solution to the problem could involve Google introducing two unchangeable identifiers in Openid Connect (OIDC): a unique user identifier and a workspace identifier. However, Google initially declined to address the vulnerability, claiming it was “not correctable.” Only after significant public attention did the company reconsider the issue.
As of now, the problem remains unresolved, and individual providers like Slack are unable to address it independently. This vulnerability underscores the critical need to enhance authentication systems and rethink security strategies in light of our increasing reliance on cloud services.