- Buying domains from businesses that shut down could grant access to their SaaS accounts, research finds
- Google argues it’s not a vulnerability, and that businesses should make sure they’re not leaving sensitive information behind
- Researchers propose additional safeguards
Experts have found a vulnerability in Google’s OAuth “Sign in with Google” feature which could allow malicious actors to access sensitive data belonging to businesses that have shut down.
Google acknowledged the flaw, but is not doing much to address it, rather saying that it is up to the businesses to ensure the security of the data they are leaving behind.
The vulnerability was first discovered by security researchers from Trufflesecurity, who reported it to Google in late September 2024. However, it was only after the company’s CEO and co-founder, Dylan Ayrey, presented the issue at Shmoocon in December 2024 that Google reacted.
Google suggests mitigations
Here is how it works, in theory:
A business signs up for an HR service using its business email account and the “Sign in with Google” feature. It uses the HR service for things like employee contracts, payouts, and more. Some time later, the business shuts down, and terminates the domain. After that, a malicious actor registers the same domain, and recreates the same email address used to log into the HR service.
They then proceed to log into the account on the HR platform, where they can access all the information and files left behind.
Google awarded Trufflesecurity a small bounty, but decided not to pursue a fix:
“We appreciate Dylan Ayrey’s help identifying the risks stemming from customers forgetting to delete third-party SaaS services as part of turning down their operation,” a Google spokesperson told TechRadar Pro in an email statement. “As a best practice, we recommend customers properly close out domains following these instructions to make this type of issue impossible. Additionally, we encourage third-party apps to follow best-practices by using the unique account identifiers (sub) to mitigate this risk.”
In other words, it’s up to the businesses to make sure they’re not leaving residual data behind.
Ayrey notes a quick look through Crunchbase returns more than 100,000 domains that can be abused this way. He suggested Google introduce immutable identifiers, while SaaS providers add cross-referencing domain registration dates.
Google also claims that the whole research caused some confusion, since there doesn’t seem to be much risk involved:
“We’re seeing some confusion regarding our initial response to the researcher. To be clear: a fix wasn’t necessary because a strong and appropriate protection is already in place. The “sub field” is the immutable identifier that the researcher is calling for – we strongly urge developers to use it to provide extra protection.”
“We’ll happily examine any materials on this, but we’ve seen no evidence to support the assertion that the sub field is not an immutable and unique identifier.”
Via BleepingComputer