New analysis has pulled again the curtain on a “deficiency” in Google’s “Check in with Google” authentication stream that exploits a quirk in area possession to realize entry to delicate information.
“Google’s OAuth login does not defend in opposition to somebody buying a failed startup’s area and utilizing it to re-create e-mail accounts for former workers,” Truffle Safety co-founder and CEO Dylan Ayrey mentioned in a Monday report.
“And whilst you cannot entry outdated e-mail information, you should utilize these accounts to log into all of the completely different SaaS merchandise that the group used.”

The San Francisco-based firm mentioned the problem has the potential to place tens of millions of American customers’ information in danger just by buying a defunct area related to a failed startup and gaining unauthorized entry to outdated worker accounts associated to varied functions like OpenAI ChatGPT, Slack, Notion, Zoom, and even HR techniques.
“Probably the most delicate accounts included HR techniques, which contained tax paperwork, pay stubs, insurance coverage info, social security numbers, and extra,” Ayrey mentioned. “Interview platforms additionally contained delicate details about candidate suggestions, gives, and rejections.”
OAuth, brief for open authorization, refers to an open customary for entry delegation, permitting customers to grant web sites or functions entry to their info on different web sites with out having to provide their passwords. That is achieved by making use of an entry token to confirm the person’s id and permit the service to entry the useful resource the token is meant for.

When “Check in with Google” is used to check in to an utility resembling Slack, Google sends the service a set of claims concerning the person, together with their e-mail handle and the hosted area, which might then be utilized to log customers into their accounts.
This additionally signifies that if a service is solely counting on these items of knowledge to authenticate customers, it additionally opens the door to a situation the place area possession modifications might permit an attacker to regain entry to outdated worker accounts.
Truffle additionally identified Google’s OAuth ID token features a distinctive person identifier – the sub declare – that might theoretically forestall the issue, however that has been discovered to be unreliable. It is price noting that Microsoft’s Entra ID tokens embrace the sub or oid claims to retailer an immutable worth per person.

Whereas Google initially responded to the vulnerability disclosure by stating that it’s meant conduct, it has since re-opened the bug report as of December 19, 2024, awarding Ayrey a bounty of $1,337. It has additionally certified the problem as an “abuse-related methodology with excessive affect.”
Within the meantime, there aren’t any protections that downstream software program suppliers can take to guard in opposition to the vulnerability in Google’s OAuth implementation. The Hacker Information has reached out to Google for additional remark, and we’ll replace the story if we hear again.
“As a person, as soon as you have been off-boarded from a startup, you lose your capacity to guard your information in these accounts, and you’re topic to no matter destiny befalls the way forward for the startup and area,” Ayrey mentioned. “With out immutable identifiers for customers and workspaces, area possession modifications will proceed to compromise accounts.”