Cybersecurity researcher Dylan Ayrey of Truffle Security Co published a report indicating that many startups use Google’s suite of tools for email, documents, and other office tasks, as well as the OAuth authentication system («Sign in with Google»). After the project is closed, some startups neglect cybersecurity rules and may lose their confidential data.
Cybersecurity researcher Dylan Ayrey of Truffle Security Co published a report indicating that many startups use Google’s suite of tools for email, documents, and other office tasks, as well as the OAuth authentication system («Sign in with Google»). After the project is closed, some startups neglect cybersecurity rules and may lose their confidential data.
The researcher suggests that the problem is more serious than anyone, especially Google, admits. Many startups make a critical mistake by not properly closing their accounts — both with Google and other web applications — before their domains expire, Ars Technica reports.
He believes that with 6 million people working in tech startups, a 90% failure rate for these startups, and the fact that 50% of them use Google Workspaces, and the rate at which startups are shutting down, it’s safe to assume that there could be a lot of Google-connected domains up for sale at any given time. This wouldn’t be a issue if buying a domain with an active Google account didn’t allow for the reactivation of Google accounts for former employees.
With admin access to these accounts, the user could gain access to many of the services they used Google OAuth to sign in to, such as Slack, ChatGPT, Zoom, and HR systems. Airi writes that he bought an abandoned startup domain and accessed each of them using a Google account login. As a result, he obtained tax documents, interview data, direct messages, and other sensitive materials.
«We are grateful to Dylan Airey for his help in identifying the risks that arise when customers forget to remove third-party SaaS services as part of their business termination. As a best practice, we recommend that customers properly close domains by following these instructions to prevent similar issues. In addition, we encourage third-party applications to follow best practices by using unique account identifiers (sub) to mitigate this risk,» Google commented on the researcher’s report.
Airey said he reported it to Google on September 30, 2024. Google responded on October 2 that it «made the decision not to track it as an abuse bug» and set the status to «Will not be fixed (expected behavior).» A Google spokesperson wrote that the company’s initial response was based on «strong and appropriate protections» that were already in place.
Ten days after Airey’s talk on the subject was presented at the Shmoocon hacking conference, Google reopened the issue and paid him a $1,337 bounty. The company said at the time that the «probability of an exploit is now low.»
In its domain closure instructions and API documentation, Google refers to the unique user identifier «sub» as a value that «never changes» and should be used as a key to identify the user. In the post, Airey quotes an unnamed in-house engineer at a large tech company who disagrees with this statement, suggesting that the value of sub changes «in about 0,04% of logins» using Google OAuth. With certain audience sizes, that could be hundreds of logins per week. Faced with this problem, large services probably don’t use «sub» to verify unique users, Airey recommends.
A Google spokesperson said the company «would be happy to review any submissions on this matter,» but saw «no evidence to support the claim that the sub field is not an immutable and unique identifier.» Google has also updated its OAuth developer documentation to further emphasize the use of «sub» as a security measure.
Airi’s solution, which he proposed to Google, is to include two new immutable identifiers in its OpenID Connect claims: one tied to the user that never changes, and one tied to the domain. So far, the company has not responded to this proposal.
