Startup Ghost Hunt: How Failed Domains Are Resurrecting Security Nightmares
A Google OAuth vulnerability is letting savvy buyers of defunct startup domains access former employees’ accounts. This digital “yard sale” could expose sensitive data from SaaS products like Slack and Zoom. Google acknowledges the risk, urging startups to clean up their digital leftovers to prevent this from happening.
Hot Take:
***This tale is a modern-day Shakespearean tragedy: startups die, but their ghostly domains linger on, waiting for the right villain to swoop in and take over their digital afterlife. It’s like a digital séance, but with a lot more email accounts and a lot less ectoplasm.***
Key Points:
– Truffle Security identified a vulnerability in Google’s OAuth allowing account takeovers by purchasing failed startups’ domains.
– Recreating old employee emails on purchased domains can grant access to multiple SaaS platforms.
– Over 100,000 domains from failed startups are up for grabs, risking exposure of sensitive data from approximately 10 million accounts.
– Google points out that this issue arises from startups not deleting third-party data during shutdown.
– Ayrey suggests implementing two immutable identifiers within Google’s OpenID Connect claims to better protect user data.