An alarming new study is raising the curtain on the deficiency linked to Sign In with Google authentication flow. This exploited a major quirk in domain ownership related to getting access to sensitive material.
As per the study, the Google OAuth login did not safeguard against anyone buying any failed startup domain. It neither offered protection to redesign email accounts for employees that used to work in the company. This was confirmed by the co-founder of Truffle Security and its CEO on Monday.
Users don’t have access to any old email content but that does not mean they’re restricted from using accounts to log into various SaaS products which the firm made use of. The company that’s based in San Francisco also highlighted more about the issue in the report.
This includes how the major flaw could put millions of users in the US at risk by buying defunct domains linked to failed startup firms and getting unauthorized access to former employee accounts. These were linked to some apps such as OpenAI, ChatGPT, Zoom, and HR systems.
Some of the sensitive information exposed included tax details, payment stubs, social security data, insurance details, and more. There was also a lot of material from interview platforms featuring sensitive information linked to client feedback with details about offers or any rejections.
For those who might be wondering, OAuth is the abbreviation for open authorization. It’s the open standard to giving users the chance to grant websites or any apps entry to their personal history on various platforms without providing passwords. This is done by utilizing access tokens to confirm the user’s ID and enable the service to reach the resource which it was originally intended for.
When you do choose to Sign In with Google, the company sends a certain array of claims about the intended user such as email, host domain, and more that is used to log users into respective accounts. This also means if services rely solely on data pieces for authentication, it paves the way to a new scene where domain ownership changes enable attackers to regain access to accounts owned by ex-employees.
Google did reply to the claim and even rewarded a bounty for exposing the vulnerability, adding that it was all intended behavior. It even labeled this as an abuse-based methodology having a great impact.
Image: DIW-Aigen
Read next: More Trouble For Google As Company Faces Serious Scrutiny From Russian Government
As per the study, the Google OAuth login did not safeguard against anyone buying any failed startup domain. It neither offered protection to redesign email accounts for employees that used to work in the company. This was confirmed by the co-founder of Truffle Security and its CEO on Monday.
Users don’t have access to any old email content but that does not mean they’re restricted from using accounts to log into various SaaS products which the firm made use of. The company that’s based in San Francisco also highlighted more about the issue in the report.
This includes how the major flaw could put millions of users in the US at risk by buying defunct domains linked to failed startup firms and getting unauthorized access to former employee accounts. These were linked to some apps such as OpenAI, ChatGPT, Zoom, and HR systems.
Some of the sensitive information exposed included tax details, payment stubs, social security data, insurance details, and more. There was also a lot of material from interview platforms featuring sensitive information linked to client feedback with details about offers or any rejections.
For those who might be wondering, OAuth is the abbreviation for open authorization. It’s the open standard to giving users the chance to grant websites or any apps entry to their personal history on various platforms without providing passwords. This is done by utilizing access tokens to confirm the user’s ID and enable the service to reach the resource which it was originally intended for.
When you do choose to Sign In with Google, the company sends a certain array of claims about the intended user such as email, host domain, and more that is used to log users into respective accounts. This also means if services rely solely on data pieces for authentication, it paves the way to a new scene where domain ownership changes enable attackers to regain access to accounts owned by ex-employees.
Google did reply to the claim and even rewarded a bounty for exposing the vulnerability, adding that it was all intended behavior. It even labeled this as an abuse-based methodology having a great impact.
Read next: More Trouble For Google As Company Faces Serious Scrutiny From Russian Government
