Google’s “Sign in with Google” authentication flow has been found vulnerable by security researchers, allowing hackers to access sensitive data from potentially millions of accounts. The issue was first reported on September 30, 2024, but was marked as “won’t fix” until a researcher demonstrated the exploit at a major security conference and received a small bounty.
The problem lies in Google’s OAuth login system not protecting against someone purchasing a failed startup’s domain and using it to recreate email accounts for former employees. This allows attackers to access software-as-a-service products used by the organization, including HR systems that contain sensitive information such as tax documents, pay stubs, insurance information, and social security numbers.
The vulnerability revolves around claims sent by Google when a user hits the sign in with Google button. These claims include hosted domain and user’s email address. However, if a service relies solely on these, any domain ownership changes won’t look different, allowing attackers to inherit access to old employee accounts.
Google has since updated its documentation for developers to make it more prominent, urging them to use the “sub field” as a unique identifier key for users. This field is unique among all Google accounts and never reused. However, the company’s response to the initial report was met with criticism, with some arguing that the issue was not adequately addressed.
Security experts warn that this vulnerability highlights concerns around user data protection and the continued reliance on third-party authentication systems. To mitigate such risks, companies must deploy rigorous security assessments and ensure that their authentication methods are resilient against potential exploitation.
Google has awarded a small bounty to researchers who demonstrated the exploit, and is now working on a fix. However, it remains to be seen whether this will involve implementing new immutable identifiers as suggested by the researcher.
The attack scenario does not identify risk to data stored by Google but instead to data stored on third-party platforms. These partners have levers in place to protect against this type of issue, including wiping out all customer data on account close-out and using the “sub field” within their application.
Source: https://www.forbes.com/sites/daveywinder/2025/01/16/millions-of-sign-in-with-google-users-warned-of-data-theft-hack-attack