Vulnerability in Google’s OAuth System exposes millions to risk

Google acknowledges issue but places onus on business

Image:

Google claims strong and appropriate protection is already in place

Researchers warn that unused domains could grant unauthorised access to sensitive SaaS accounts

Researchers at Truffle Security have found a flaw in Google’s OAuth ‘Sign in with Google’ feature, potentially exposing businesses that have shut down to data breaches. The researchers claim the vulnerability could allow malicious actors to access sensitive information through abandoned domains.

The issue was reported to Google in September 2024. However, it only gained attention after Dylan Ayrey, the Truffle Security CEO and co-founder, highlighted the problem during a presentation at Shmoocon in December 2024.

Despite acknowledging the vulnerability, Google has taken limited action, placing the responsibility on businesses to secure their data.

In theory, the flaw could allow attackers to exploit the following scenario: A business uses its company email and the “Sign in with Google” feature to register for a third-party SaaS service, such as HR software. This platform might contain sensitive data, including employee records and payment information. If the business shuts down and the domain is terminated, a malicious actor could register the same domain and recreate the email account used to access the SaaS service.

Once inside, the attacker could retrieve the data left behind by the defunct business.

Google’s response

Google has not implemented a fix for this vulnerability.

A spokesperson for Google told TechRadar Pro: “We appreciate Dylan Ayrey’s help identifying the risks stemming from customers forgetting to delete third-party SaaS services as part of turning down their operation. As a best practice, we recommend customers properly close out domains following these instructions to make this type of issue impossible.

“Additionally, we encourage third-party apps to follow best-practices by using the unique account identifiers (sub) to mitigate this risk.”

Suggested safeguards

Ayrey proposed Google introduce immutable identifiers, while SaaS providers should cross-reference domain registration dates to prevent exploitation. According to a simple search on Crunchbase, there are over 100,000 domains at risk of being abused in this manner.

However, Google refutes the necessity of additional safeguards, claiming its existing measures provide sufficient protection. In a statement to BleepingComputer, the tech giant said: “To be clear: a fix wasn’t necessary because a strong and appropriate protection is already in place. The ‘sub field’ is the immutable identifier that the researcher is calling for – we strongly urge developers to use it to provide extra protection.

“We’ll happily examine any materials on this, but we’ve seen no evidence to support the assertion that the sub field is not an immutable and unique identifier

Although Google downplays the risks, the findings have raised concerns about the potential for widespread abuse.