Source URL: https://trufflesecurity.com/blog/millions-at-risk-due-to-google-s-oauth-flaw
Source: Hacker News
Title: Millions of Accounts Vulnerable Due to Google’s OAuth Flaw
Feedly Summary: Comments
AI Summary and Description: Yes
Summary: The text discusses a critical vulnerability within Google’s “Sign in with Google” authentication process that enables unauthorized access to accounts associated with defunct startups. This issue arises from the lack of protections against domain ownership changes, posing significant risks to user data across various SaaS platforms.
Detailed Description: This analysis presents the implications of a vulnerability identified within Google’s OAuth authentication framework, which can have far-reaching consequences for information security within the tech industry.
– **Vulnerability Overview**:
– Exploitable flaws exist in the authentication flow, allowing unauthorized access to accounts by acquiring domains of defunct startups.
– Google’s “Sign in with Google” process does not adequately secure against domain repurchases, leading to potential account takeovers.
– **Impact Analysis**:
– Over 6 million Americans work for tech startups, with 90% ultimately failing. This implies a massive pool of vulnerable data linked to terminated domains.
– The identification of over 100,000 available domains from failed startups presents a significant risk for accessing sensitive employee accounts across various services, such as:
– **ChatGPT**
– **Slack**
– **Notion**
– **Zoom**
– **HR systems** including tax documents, pay stubs, and social security numbers.
– **Critical Mechanism Flaw**:
– The OAuth implementation relies solely on user claims, like email and domain ownership claims (hd), which do not account for ownership changes.
– As such, if someone buys a failed startup’s domain, they can access old employee accounts based on inherited claims.
– **Existing Mitigations and Proposed Solutions**:
– The “sub” identifier meant to uniquely identify users is inconsistent and unreliable, creating further complications.
– A proposed fix involves the implementation of two immutable identifiers in OpenID Connect (OIDC) claims:
– A static unique user ID.
– A unique workspace ID tied to the domain.
– **Current Status and Recommendations**:
– Google initially classified the issue under “Fraud and abuse,” resisting immediate fixes, though it later acknowledged the problem after external scrutiny.
– Actions suggested for downstream providers (like Slack) include advocating for changes in Google’s approach to OAuth claims.
– Recommendations for startups include:
– Disabling password-based authentication in favor of Single Sign-On (SSO) with two-factor authentication (2FA).
– Ensuring services require additional identity verification for account recovery processes (e.g., SMS codes, credit card verification) to reduce risks related to password resets.
In conclusion, the text underscores the significant vulnerability in Google’s OAuth implementation, highlighting the pressing need for enhanced security measures following domain ownership changes to protect millions of users’ sensitive data from exposure. The ongoing dialogue with Google regarding this issue highlights a critical moment for technological improvements in authentication processes.