A vulnerability in the “Sign in with Google” authentication system has left millions of Americans at risk of data theft. The issue primarily affects former employees of startups, particularly those that have ceased operations.
Truffle Security identified the vulnerability as stemming from how Google OAuth handles changes in domain ownership. When a startup shuts down, its domain becomes available for purchase. A new owner can recreate the email addresses of former employees, which, while not granting access to historical emails, allows entry into various services.
A security researcher demonstrated the flaw by purchasing the domain of a defunct startup. This enabled access to services such as ChatGPT, Slack, Notion, Zoom, and HR systems containing sensitive information like Social Security numbers, tax documents, and other confidential data.
The scope of the issue is vast. In the U.S., approximately six million people work in startups, of which about 90% eventually close, with half using Google Workspaces. Data analysis from Crunchbase revealed that over 100,000 domains from shuttered startups are available for purchase, posing a data breach risk for more than 10 million accounts.
The vulnerability lies in how providers like Slack authenticate users. They rely on two Google OAuth parameters: HD (hosted domain) and email. When a domain changes ownership, these parameters remain unchanged, granting access to new domain owners.
A potential solution involves Google implementing two immutable identifiers in OpenID Connect (OIDC): a unique user identifier and a workspace identifier. However, despite being notified by the researcher, Google initially declined to address the issue, deeming it “unfixable.” Only after widespread public attention did the company revisit the case.
A complete resolution has yet to be proposed, and providers like Slack cannot rectify the problem independently. This vulnerability underscores the urgent need to strengthen authentication systems and rethink security strategies in an era of growing reliance on cloud services.
