Google’s OAuth Oops: How Defunct Domains Turn Hackers Into Unwanted Guests

A Google OAuth vulnerability lets attackers exploit domains from defunct startups to access sensitive SaaS-linked data. Despite awareness, the issue remains. Google advises closing out domains to mitigate risk. With millions of accounts at stake, affected users should act swiftly to safeguard their data.

3P
Published: January 14, 2025 5:27 pmAdded: January 14, 2025 at 9:57 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Looks like Google’s OAuth has a secret love affair with defunct startups’ domains! Who knew that the ghost of startups past could still haunt our data? Time to double-check where our login breadcrumbs lead!

Key Points:

  • Trufflesecurity discovered a security flaw in Google’s OAuth “Sign in with Google” feature.
  • Attackers can exploit defunct startup domains to access former employee accounts on SaaS platforms.
  • Google initially dismissed the issue but later awarded a $1337 bounty and reopened the case.
  • The flaw remains unfixed, potentially impacting millions of accounts.
  • Proposed solutions include using immutable identifiers and cross-referencing domain registration dates.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?