Sign in with Google security flaw exposed.
Google is always in the news and, sadly, not always for positive reasons as far as security issues are concerned. It’s great that new security rules are dropping soon to help protect users, and there’s plenty of help for Gmail users who find their accounts have been hacked. However, with users already on high alert as two-factor authentication bypass attacks continue, the last thing Google needs is yet more bad news regarding securely signing into accounts. Yet bad news is what it has got with the publication of research demonstrating how Google’s OAuth authentication can be exploited by attackers to gain access to sensitive data from, potentially, millions of accounts. Here’s what you need to know.
The Sign In With Google Vulnerability Explained
A Jan. 13 report has revealed how security researchers uncovered a rather shocking vulnerability impacting Google’s “Sign in with Google” authentication flow. “I demonstrated this flaw by logging into accounts I didn’t own,” Dylan Ayrey, CEO and co-founder of Trufflesecurity, said, “and Google responded that this behavior was working as intended.” Ayrey warned anyone who has ever worked for a startup in the past, particularly one that has now ceased trading, that they may be vulnerable to this hack attack method.
Ayrey explained that the problem is based on the fact that Google’s OAuth login “doesn’t protect against someone purchasing a failed startup’s domain and using it to re-create email accounts for former employees,” which leaves the door wide open to an attacker using those accounts to log into any software as a service products that the organization had used. What kind of services, you may wonder? Well, the security research demonstrated how just one of these defunct domains opened the security doors to access former employee accounts involving ChatGPT, Notion, Slack and Zoom. “The most sensitive accounts included HR systems,” Ayrey said, “which contained tax documents, pay stubs, insurance information, social security numbers, and more.”
The vulnerability appears to revolve around the “claims” that are sent by Google when a user hits the sign in with Google button to access a service. These claims include the likes of specifying the hosted domain and the user’s email address. The service provider usually uses both of these to determine if access should be granted. However, Ayrey found that if a service relied solely on these, any domain ownership changes wouldn’t look any different. “When someone buys the domain of a defunct company,” Ayrey said, “they inherit the same claims, granting them access to old employee accounts.”
Google Response To OAuth Hacking Risk
Ayrey said that the issue was initially reported to Google Sep 30, 2024 and marked as “won’t fix” on Oct 2, 2024. After demonstrating the exploit at a major security conference, Shmoocon, in December, Google reopened the ticket and awarded the researchers a small bounty of $1337. The amount is interesting in itself, as 1337 is hacker slang for elite. Ayrey said that Google is now working on a fix, although whether that will involve the approach mentioned in the Trufflesecurity report, of implementing two new immutable identifiers of a unique user ID that doesn’t change over time and a unique workspace ID tied to the domain, remains to be seen.
I have reached out to Google for a statement.