- Study finds that purchasing domains from shuttered businesses can provide access to their SaaS accounts
- Google says this is not a vulnerability and that companies should make sure they don’t leave sensitive information behind.
- Researchers suggest additional safety measures
Experts found a vulnerability in GoogleOAuth “Sign in with Google” feature, which could allow attackers to access sensitive data belonging to closed businesses.
Google has acknowledged the bug but isn’t doing much to fix it, rather saying that businesses should ensure the security of the data they leave behind.
The vulnerability was first discovered by security researchers at Trufflesecurity, who reported it to Google in late September 2024. However, Google only responded after the company’s CEO and co-founder Dylan Airey presented the issue at Shmoocon in December 2024.
Google suggests mitigation measures
Here’s how it works in theory:
Business subscribes to HR service Using your business email account and Sign in with Google. It uses an HR service for things like employee contracts, benefits, and more. After some time, the enterprise closes and ceases operations. domain. The attacker then registers the same domain and recreates the same email address that was used to log into HR.
They then proceed to log into their account on the HR platform, where they can access all the information and files left behind.
Google awarded Trufflesecurity a small award, but decided not to pursue a fix: “We appreciate Dylan Airey’s assistance in identifying the risks associated with customers forgetting to uninstall third-party SaaS services as part of their deprecation,” a Google spokesperson said. PipComputer.
“As a best practice, we encourage customers to properly close domains by following these instructions to make these types of issues impossible. Additionally, we encourage third-party applications to follow best practices by using unique account identifiers (subs) to mitigate this risk.”
In other words, businesses need to make sure they don’t leave behind residual data.
Airey notes that a quick scan of Crunchbase revealed more than 100,000 domains that could be abused in this way. He suggested that Google introduce immutable identifiers and that SaaS providers add cross-references to domain registration dates.
By using PipComputer