Researchers have discovered a flaw in Google’s OAuth system that could allow attackers to access potentially sensitive data from former employee accounts at defunct startups.
Google’s OAuth is the Mountain View giant’s login tech that lets you access many platforms and services with your Google account. When you use the “Sign in with Google” option, you’re using OAuth. The company’s suite of services also has a large presence in business environments. Employees use OAuth not only to access the Workspace suite but also external platforms through the software-as-a-service (SaaS) model.
This Google’s OAuth flaw could allow attackers to inherit login credentials
It’s possible that you have more than one Google account, and for some you don’t even remember your credentials. So, your lost account is left in a “limbo” where you can’t access it for one reason or another. However, the issue of keeping “zombie accounts” is more delicate in business environments. These accounts are often tied to third-party services with potentially sensitive data from former employees—or the company they worked for.
In late September 2024, the Trufflesecurity team detected a flaw in Google’s OAuth system that malicious actors could exploit. At the time, Google labeled the issue as “fraud and abuse” rather than a login vulnerability. However, Dylan Ayrey, CEO of Trufflesecurity, exposed it during the latest Shmoocon hacker convention last December. This prompted Google to reopen the ticket and offer a $1,337 bounty to researchers.
“Google’s OAuth login doesn’t protect against someone purchasing a failed startup’s domain and using it to re-create email accounts for former employees,” Ayrey said of the issue in a recent report. Under the scenario that a third party buys a failed startup’s domain and inherits Google’s OAuth login, they could not be able to access the company’s previous internal communications. However, they could log in to external services linked to that Google’s OAuth domain. For example, they could access ChatGPT, Notion, Zoom, Slack, or some HR platforms, resuming the sessions of former employees of the defunct startup.
Attackers only need to buy an obsolete domain from a failed startup
The researcher showed how he managed to access confidential data of a failed startup from HR systems. He just had to purchase an obsolete domain and use legacy OAuth credentials. Potential attackers could start targeting domains related to failed startups in order to purchase them and exploit the vulnerability. Crunchbase’s database of startups that no longer exist lists around 116,481 available domains. This means that there could potentially be millions of former employee accounts ready to be “exploited” out there.
To prevent problems related to the OAuth system, you should avoid using your company credentials on personal accounts. Doing so could open the door for attackers to steal them in the future. You should also remove any sensitive data from your business account if you change jobs.
