Google’s OAuth Oops: Startup Domain Buybacks Exposing User Data!

Google’s OAuth login flaw can let someone buy a failed startup’s domain and use it to recreate old employee email accounts, gaining access to sensitive data from various applications like Slack and even HR systems. This oversight leaves millions at risk, despite Google’s initial claim of “intended behavior.”

3P
Published: January 14, 2025 5:16 pmAdded: January 14, 2025 at 9:54 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Who knew that your old startup’s domain could become the ghost of privacy past? Apparently, Google’s “Sign in with Google” feature is on a nostalgia trip, letting anyone with a failed startup’s domain revisit the good old days of accessing sensitive SaaS accounts. Who needs a time machine when you can just buy a domain?

Key Points:

  • Google’s OAuth login flaw allows domain ownership to grant access to old employee accounts.
  • Buying a defunct startup’s domain can expose sensitive data from multiple SaaS products.
  • Google claims it’s intended behavior but re-opened the bug report after further scrutiny.
  • Truffle Security found Google’s unique user identifier unreliable for preventing this flaw.
  • Currently, no available protections for downstream software providers against this vulnerability.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?