Google OAuth Vulnerability Exposes Millions via Failed Startup Domains

Google OAuth Vulnerability 2025: Domain Ownership and Data Breaches
A critical vulnerability in Google's “Sign in with Google” authentication flow, utilizing OAuth, has been identified, posing significant risks to data security, particularly for individuals who have worked for startups that have failed.
The Vulnerability: Domain Ownership Meets OAuth
The issue arises from how Google's OAuth system interacts with domain ownership. Here are the key points:
- Domain Claim Exploitation: When a user clicks "Sign in with Google," Google sends the service a set of claims, including the user's email address and a domain-specific identifier (
hd
claim). If a startup shuts down and its domain becomes available for purchase, attackers can buy the domain, recreate email accounts for former employees, and use those accounts to log into various SaaS platforms like Slack, Notion, and Zoom15. - Inconsistent User Identifiers: Google's OAuth system includes a unique user identifier (
sub
claim), but this identifier is inconsistent across logins, making it unreliable for downstream providers to verify user identity. As a result, many platforms rely solely on email and domain claims for authentication, which remain valid even after domain ownership changes15.
Impact and Scale
- Affected Population: Approximately 6 million Americans work for tech startups, with 90% of these startups eventually failing. Given that 50% of these startups use Google Workspace for email, the potential impact is substantial. Using Crunchbase data, the researcher identified over 100,000 defunct domains available for purchase, which could expose more than 10 million accounts to unauthorized access15.
- Sensitive Data Exposure: The vulnerability allows attackers to access sensitive information stored in services like HR systems, chat platforms, and interview tools. This includes Social Security numbers, tax documents, pay stubs, insurance information, and private messages15.
Proposed Fixes and Google’s Response
- Initial Dismissal: Google initially dismissed the report as a “fraud and abuse” issue rather than an OAuth vulnerability. However, after further pressure, including a talk at ShmooCon in December 2024, Google reopened the case and awarded a $1,337 bounty15.
- Proposed Solutions: The researcher suggested that Google add two immutable identifiers to its OpenID Connect (OIDC) claims: a unique user ID and a unique workspace ID tied to the domain. These changes would help prevent the exploitation of domain ownership changes15.
- Mitigation Steps: Until Google implements a fix, downstream providers and individuals can take several steps to mitigate the risk. These include disabling password-based authentication, enforcing single sign-on (SSO) with two-factor authentication (2FA), and implementing additional verification steps for password resets15.
Secondary Concerns: Password Reset Takeovers
- Password Reset Risks: Even users who used username and password instead of Google SSO are at risk if attackers can reset passwords via email from the old domain. Mitigations include disabling password-based authentication, enforcing SSO with 2FA, and requiring additional verification for password resets5.
Current Status
As of January 2025, Google has promised a fix but has not disclosed specific details or timelines. Downstream providers like Slack or Notion have limited options to mitigate this vulnerability without changes from Google15.
Conclusion
The Google OAuth vulnerability highlights a significant flaw in the authentication process, particularly concerning domain ownership changes. The potential impact is substantial, affecting millions of accounts and exposing sensitive data. Until Google implements the proposed fixes, users and service providers must take proactive steps to mitigate these risks. For more detailed information, you can refer to the original reports and analyses from cybersecurity news sources15.