Logging into a website using the “Sign In With Google” option is really convenient, to the point where you may have used it hundreds of times already. However, researchers have found that using the feature as an employee for a business opens you up to potential privacy breaches, and worst of all, there isn’t a fix for it yet
The “Sign In With Google” Feature Leaves Remnants From Prior Domain Users
As reported by Trufflesecurity, a flaw with Google’s OAuth system has been discovered. It affects anyone who has worked for a company that allows its employees to use “Sign In With Google” logins and has since shut down.
Here’s the problem: when you’re an employee for a company, and you use the “Sign In With Google” feature to log into an app like Slack with your business account, the app receives two pieces of data: the domain and the email address. If the app receives both of these pieces of data, it lets the user log in.
The “domain” part is the business’s domain name, which tells the app that you’re an employee of that specific company. However, if the company closes its doors, a malicious actor can purchase and take ownership of the unused domain. If the business didn’t “clean up” properly before shutting down, the bad actor can re-create the employee email addresses and use them to log into third-party services.
Fortunately, the bad agent couldn’t get into the old business Gmail account and read its emails, but Trufflesecurity found that it could access the former employee’s accounts on ChatGPT, Slack, Notion, Zoom, HR systems, and more. And while all of these accounts could hold sensitive data by themselves, the HR systems are the most dangerous, as they’ll contain information such as social security numbers and banking details.
Unfortunately, when this exploit was first reported, Google pinned the blame on companies for not properly erasing their data. However, after Trufflesecurity demoed the attack during Shmoocon (which you can see in the above video at the 5:34:00 mark), Google is looking into it again.
In the meantime, if you used “Sign In With Google” while employed with a company that has since shut down, your data may be vulnerable. Keep an eye on your details and be ready to fix things if you notice a data breach. And even if you never use the handy login feature during work, there are plenty of reasons why you should no longer use “Sign In With Google” on any website.