Simply over a 12 months in the past, in our put up entitled Google OAuth and phantom accounts, we mentioned how utilizing the “Sign up with Google” possibility for company providers permits staff to create phantom Google accounts that aren’t managed by the company Google Workspace admin, and proceed to perform after offboarding. Not too long ago, it was found that this isn’t the one situation with OAuth. As a consequence of weaknesses on this authentication mechanism, anybody can achieve entry to information of many defunct organizations by re-registering domains they deserted. On this article, we discover this assault in additional element.
How authentication works with “Sign up with Google”
Some organizations might imagine that “Sign up with Google” supplies a dependable authentication mechanism backed by Google’s superior expertise and huge person monitoring capabilities. Nevertheless, in actuality, the Google OAuth authentication examine is sort of primary. It typically comes all the way down to verifying {that a} person has entry to an e-mail tackle linked to a corporation’s Google Workspace.
Furthermore, as talked about in our earlier article on Google OAuth, this doesn’t essentially should be a Gmail tackle — Google accounts might be linked to any e-mail tackle. Due to this fact, the safety of accessing a company service through “Sign up with Google” is just as sturdy because the safety of the e-mail linked to the Google account.
Now let’s get into the small print…
When authenticating a person in a company service, Google OAuth sends the next data to that service:
In principle, the Google OAuth ID token features a distinctive parameter referred to as sub for every Google account. Nevertheless, in apply, attributable to points with its utilization, providers usually solely examine the area and e-mail tackle. Supply
Google recommends that providers use the sub parameter, claiming that this identifier is exclusive and fixed for the person account — in contrast to an e-mail tackle. However in actuality, the sub parameter isn’t at all times fixed; for a small variety of customers, it modifications over time, which may trigger authentication failures. In consequence, providers have a tendency to not use it, and as an alternative confirm solely the area and e-mail tackle — opposite to Google’s suggestions.
“Sign up with Google” utilizing an deserted area
Thus, an attacker can achieve unauthorized entry to an organization’s providers by merely getting access to an e-mail inside that firm’s area. That is significantly simple to do if the corporate has ceased operations and deserted its area: anybody can register it for themselves.
The attacker can then create any e-mail tackle underneath this area, and use it to log into one of many providers the corporate doubtless used. A few of these providers might show a listing of actual customers linked to the group’s workspace — even when the tackle entered by the attacker was by no means really used.
With this listing — and full management over all e-mail addresses inside the deserted area — the attacker can reconstruct the unique Google Workspace of the defunct firm. On this means, attackers can achieve entry to the profiles of former staff in providers that used Google OAuth for authentication.
How severe an issue is that this?
Dylan Ayrey, the researcher who found this Google OAuth vulnerability (and the earlier situation with phantom accounts), aimed to display the severity of potential penalties. Utilizing information from Crunchbase, Ayrey compiled a listing of over 100,000 terminated startups whose domains at the moment are up on the market.
Ayrey bought one among these deserted domains and examined the feasibility of the assault. Among the many company providers he managed to entry utilizing this vulnerability have been Slack, Zoom, Notion, ChatGPT, and HR programs.
Thus, with this comparatively easy assault requiring minimal assets, an attacker can achieve entry to a wealth of confidential data, starting from worker correspondence and notes to non-public information from HR programs.
Based on Ayrey’s estimates, round 50% of startups use Google Workspace. If we suppose that the common defunct startup had about 10 staff, we may very well be speaking about a whole bunch of 1000’s of individuals and tens of millions of susceptible accounts.
Who’s accountable, and what might be executed?
Ayrey dutifully notified Google of this vulnerability by means of its bug bounty program. He additionally urged a long-term resolution: creating actually everlasting and distinctive identifiers for Google accounts and Google Workspace. Nevertheless, his report was initially rejected, with the remark “no repair wanted” and labeled as “fraud or abuse”!
Nevertheless, a number of months after Ayrey introduced his findings at a hacker convention (!) the report was reopened, and he was awarded $1337. Notably, he obtained the identical minimal reward for his earlier discovery of the phantom Google accounts vulnerability.
Based on Ayrey, Google promised to repair the vulnerability in Google OAuth, however didn’t specify when or how precisely they plan to do that. Due to this fact, the issue with the “Sign up with Google” mechanism stays an unresolved situation, for which nobody is keen to take duty. Potential victims of this assault embody former staff of defunct corporations who now not have management over their accounts. Worse nonetheless, there’s nobody to carry accountable for the safety of those accounts anymore.
The sensible transfer right here can be for corporations to take preventive measures prematurely. Nevertheless, only a few startups significantly plan for their very own demise — not to mention what’s going to occur afterward.
Luckily, defending in opposition to this Google OAuth vulnerability is comparatively easy. There are two non-mutually unique choices:
- Use a conventional login-and-password combo as an alternative of “Sign up with Google”, and at all times allow two-factor authentication.
- If your organization ceases operations, don’t abandon workspaces in company providers; delete them as an alternative. That is fairly simple to do; for instance, listed here are the directions for Slack and Notion.
