Researchers at Trufflesecurity have uncovered a flaw in the functioning of Google OAuth, Google’s implementation of the open OAuth standard. It allows users to authorize third-party applications to securely access their data on Google services, such as Gmail, Google Drive, YouTube, or Google Docs.
According to the experts’ investigations, it is possible to use the “Sign in with Google” function of the OAuth system to take control of accounts belonging to bankrupt companies. The flaw only affects startups that have closed their doors.
OAuth Flaw and Data Theft
When a company uses OAuth, it registers a domain for its applications. This domain serves as a login. However, if the company closes prematurely and abandons its domain, it can be bought by an individual. As researcher Dylan Ayrey explains, “Google’s OAuth login doesn’t protect against someone buying a failed startup’s domain and using it to recreate email accounts for former employees.”
OAuth credentials are often tied to the domain, not to an immutable identifier. If the domain changes ownership, systems like Google OAuth don’t always have a way to detect this change. In fact, the new owner can use the function to reconnect to third-party services, such as Slack, Notion, Zoom, or ChatGPT. These are just a few examples among others.
From then on, potential attackers can exfiltrate sensitive data from the accounts. Researchers have demonstrated that it is possible to seize confidential documents by connecting to platforms dedicated to human resources. Among the files that can end up in the hands of hackers are tax documents, insurance information, and Social Security numbers. This information can represent a serious threat to the people concerned. With a Social Security number, a hacker can carry out an attempt at identity theft.
The researchers point out that Google OAuth includes a sub-claim system, which is supposed to play the role of a unique identifier assigned to each user, regardless of the evolution of their domain or email address. Unfortunately, this mechanism has an inconsistency rate of 0.04%. In short, some of the underclaims do not remain constant over time. Under these conditions, third-party services cannot rely solely on the underclaim to identify users. They then rely on the email address and domain, opening the door to data leaks.
Millions of individuals affected
As the researcher behind the discovery points out, the flaw threatens millions of people. Indeed, there are currently more than 110,000 domains available that belonged to bankrupt companies. All the people who worked for these companies could have their personal data stolen by cybercriminals.
Unsurprisingly, Dylan Ayrey alerted Google to the vulnerability within Google OAuth. At first, the Mountain View giant refused to fix the vulnerability, considering it to be more of a fraud and abuse issue. Later, Google changed its mind and agreed to look into the issue. However, the flaw is still open and exploitable.
In a response to our colleagues at Bleeping Computer, the group said it thanked "Dylan Ayrey for his help in identifying the risks associated with customers forgetting to remove third-party services when they cease their activity". Google recommends that bankrupt companies "properly close their domains" by taking a series of precautions, including deleting all user data in the process.
In addition, Google encourages "third-party applications to follow best practices by using unique account identifiers". For Dylan Ayrey, "without immutable credentials for users and workspaces, domain ownership changes will continue to compromise accounts."
Source: Bleeping Computer
0 Comments