Millions of Accounts Vulnerable due to Google’s OAuth Flaw ◆ Truffle Security Co.
trufflesecurity.com
Millions of Americans can have their data stolen right now because of a deficiency in Google’s “Sign in with Google” authentication flow. If you’ve worked for a startup in the past - especially one that has since shut down - you might be vulnerable.
  • eRacEnglish
    5·
    4 days ago

    TL;DR: If you had a Google account on a non-Google domain, an attacker can buy the domain and make new accounts with the same usernames. Those are new accounts as far as Google is concerned, but they will be treated the same for SSO on other platforms.

    If you know the cloud-based HR platform a dead company used and the username of their HR person, you can log in and see all employee records and personal details.

    • naeap@sopuli.xyzEnglish
      4·
      4 days ago

      I still can’t comprehend how Google used just the mail address or domain for their SSO
      I would have expected something like a hash over mail address and password + salt or something, so a new registrar would have a different hash

      Just using the date of registration in the hash would have been mitigating this stuff - or do I miss something?

      • fuzzzerd@programming.devEnglish
        1·
        4 days ago

        Usually the flaw us on the service provider side when using only email address for SSO. Typically the idp will provide a sub claim which is unique to the account and independent of email.

        • fuzzzerd@programming.devEnglish
          1·
          4 days ago

          I see the article mentions this sub as having as an unreliable claim value. I can’t dispute that experience, but have not observed it personally. Though my experience is on a much smaller system.