Google’s OAuth Vulnerability Exposed by Quirk in Domain Ownership

A recent study has revealed a security flaw in Google’s “Sign in with Google” authentication flow, which could allow an attacker to access sensitive data and re-create email accounts for former employees of defunct startups. Truffle Security co-founder Dylan Ayrey discovered the vulnerability, which exploits a quirk in domain ownership.

The issue arises when an individual purchases a defunct domain associated with a failed startup and gains unauthorized access to old employee accounts related to various applications, such as OpenAI ChatGPT, Slack, Notion, Zoom, and HR systems. This allows attackers to log into these accounts using the stolen email addresses and hosted domains.

The vulnerability is caused by Google’s OAuth login system not protecting against domain ownership changes. The issue has the potential to put millions of American users’ data at risk. Truffle Security recommends that downstream software providers use the sub field within their application as the unique-identifier key for the user to mitigate this risk.

Google initially responded to the vulnerability disclosure by stating it was intended behavior, but later re-opened the bug report and awarded Ayrey a bounty of $1,337. The company has since updated its documentation with warnings to prevent similar issues in the future.

The study highlights the importance of proper domain closure and the need for users to take control of their data protection when switching between startups or abandoning old accounts. Without immutable identifiers for users and workspaces, domain ownership changes continue to compromise accounts.

Source: https://thehackernews.com/2025/01/google-oauth-vulnerability-exposes.html