Google OAuth flaw lets attackers gain access to abandoned accounts

Google OAuth Security Flaw: Abandoned Account Access Vulnerability
A critical vulnerability in Google's "Sign in with Google" authentication flow, discovered and reported in late 2024, has significant implications for data security, particularly affecting former employees of failed startups.
The Vulnerability: Domain Ownership and OAuth Interaction
The flaw arises from how Google's OAuth login system interacts with domain ownership changes. Here are the key points:
-
Domain Ownership Changes: When a startup fails and its domain becomes available for purchase, attackers can buy the domain and recreate email accounts for former employees. Despite not being able to access old email data, these recreated accounts can be used to log into various SaaS (Software as a Service) platforms that the organization previously used125.
-
OAuth Claims: Google's OAuth system sends a set of claims to the service, including the user's email address and a domain-specific identifier (the
hd
claim). These claims are used by services like Slack, Notion, and Zoom to grant access. However, when domain ownership changes, these claims remain valid, allowing attackers to access old employee accounts125.
Impact and Scope
-
Affected Users: Approximately 6 million Americans work for tech startups, and 90% of these startups eventually fail. Given that 50% of these startups rely on Google Workspace for email, the potential impact is substantial. An analysis using Crunchbase data identified over 100,000 defunct domains available for purchase, which could expose sensitive data from more than 10 million accounts125.
-
Sensitive Data Exposure: The vulnerability allows attackers to access sensitive information stored in HR systems, chat platforms, interview tools, and other SaaS services. This includes Social Security numbers, tax documents, pay stubs, insurance information, and private messages125.
Proposed Fixes and Google’s Response
-
Immutable Identifiers: The researcher proposed that Google add two immutable identifiers to its OpenID Connect (OIDC) claims: a unique user ID that remains consistent over time and a unique workspace ID tied to the domain. This would help prevent the issue by ensuring that user and workspace identities are not affected by domain ownership changes125.
-
Initial Dismissal and Reopening: Initially, Google dismissed the report as a “fraud and abuse” issue rather than an OAuth vulnerability. However, after the researcher’s talk at ShmooCon was accepted in December 2024, Google reopened the case, awarded a $1,337 bounty, and acknowledged it as an "abuse-related methodology with high impact"125.
Mitigation and Recommendations
-
User Precautions: Users are advised to be cautious about using “Sign in with Google” for critical services and to advocate for startups to disable password-based authentication and enforce single sign-on (SSO) with two-factor authentication (2FA)1.
-
Service Provider Actions: Downstream providers like Slack or Notion can implement additional verification steps, such as SMS codes or credit card checks, for password resets to reduce risks associated with compromised domains. However, comprehensive protection is not possible without changes from Google125.
Conclusion
The vulnerability in Google's OAuth implementation highlights a significant flaw in the authentication system, particularly in how it handles domain ownership changes. Until Google implements the proposed fixes, millions of accounts tied to defunct startups remain at risk of unauthorized access and data theft. The incident underscores the need for more robust authentication systems and the importance of prompt action from companies like Google to protect users' sensitive information125.