Sign in with Google security flaw exposed.
Update, Jan. 16, 2025: This story, originally published Jan. 15, now includes a statement from Google and further clarification of the initial response to the researcher’s findings, as well as additional comments from a security expert.
Google is always in the news and, sadly, not always for positive reasons as far as security issues are concerned. It’s great that new security rules are dropping soon to help protect users, and there’s plenty of help for Gmail users who find their accounts have been hacked. However, with users already on high alert as two-factor authentication bypass attacks continue, the last thing Google needs is yet more bad news regarding securely signing into accounts. Yet bad news is what it has got with the publication of research demonstrating how Google’s OAuth authentication can be exploited by attackers to gain access to sensitive data from, potentially, millions of accounts. Here’s what you need to know.
The Sign In With Google Vulnerability Explained
A Jan. 13 report has revealed how security researchers uncovered a rather shocking vulnerability impacting Google’s “Sign in with Google” authentication flow. “I demonstrated this flaw by logging into accounts I didn’t own,” Dylan Ayrey, CEO and co-founder of Trufflesecurity, said, “and Google responded that this behavior was working as intended.” Ayrey warned anyone who has ever worked for a startup in the past, particularly one that has now ceased trading, that they may be vulnerable to this hack attack method.
Ayrey explained that the problem is based on the fact that Google’s OAuth login “doesn’t protect against someone purchasing a failed startup’s domain and using it to re-create email accounts for former employees,” which leaves the door wide open to an attacker using those accounts to log into any software as a service products that the organization had used. What kind of services, you may wonder? Well, the security research demonstrated how just one of these defunct domains opened the security doors to access former employee accounts involving ChatGPT, Notion, Slack and Zoom. “The most sensitive accounts included HR systems,” Ayrey said, “which contained tax documents, pay stubs, insurance information, social security numbers, and more.”
The vulnerability appears to revolve around the “claims” that are sent by Google when a user hits the sign in with Google button to access a service. These claims include the likes of specifying the hosted domain and the user’s email address. The service provider usually uses both of these to determine if access should be granted. However, Ayrey found that if a service relied solely on these, any domain ownership changes wouldn’t look any different. “When someone buys the domain of a defunct company,” Ayrey said, “they inherit the same claims, granting them access to old employee accounts.”
“This vulnerability highlights robust concerns around user data protection and the continued reliance on third-party authentication systems,” Roei Sherman, field chief technology officer at Mitiga, said, “to mitigate such risks, it is vital that companies deploy rigorous security assessments and ensure that their authentication methods are not only user-friendly but also resilient against potential exploitation.”
Google Response To OAuth Hacking Risk
Ayrey said that the issue was initially reported to Google Sep 30, 2024 and marked as “won’t fix” on Oct 2, 2024. After demonstrating the exploit at a major security conference, Shmoocon, in December, Google reopened the ticket and awarded the researchers a small bounty of $1337. The amount is interesting in itself, as 1337 is hacker slang for elite. Ayrey said that Google is now working on a fix, although whether that will involve the approach mentioned in the Trufflesecurity report, of implementing two new immutable identifiers of a unique user ID that doesn’t change over time and a unique workspace ID tied to the domain, remains to be seen.
I reached out to Google for a statement and a spokesperson said: “We appreciate Dylan Ayrey’s help identifying the risks stemming from customers forgetting to delete third-party SaaS services as part of turning down their operation. As a best practice, we recommend customers properly close out domains following these instructions to make this type of issue impossible. Additionally, we encourage third-party apps to follow best-practices by using the unique account identifiers (sub) to mitigate this risk”
Google also wanted to clarify the initial response to the researcher as it told me it was seeing some confusion regarding this. During a brief conversation, Google wanted to make it clear that, in its opinion, a fix wasn’t necessary because a strong and appropriate protection is already in place. The “sub field” is the immutable identifier the researcher calls for – and Google said it strongly urged developers to use it to provide extra protection. While happy to examine any further materials on this matter, Google told me that it hadn’t seen any evidence to support the assertion that the sub field is not an immutable and unique identifier. Google also wanted to add that it has now updated the documentation for developers to make this guidance even more prominent.
A Google spokesperson also told me that the attack scenario does not identify risk to data stored by Google but instead to data stored on third-party platforms, as there is an important distinction to be made here.
Such third-party Google partners have levers in place to protect against this type of issue, the spokesperson said, including:
- Wipeout of all customer data on account close out to ensure company-wide accessible data is no longer available.
- Using the sub field within their application as the unique-identifier key for the user to ensure user-specific data can never be accessed by any other entity. This field is unique among all Google accounts and never reused.