Skip to content

Google OAuth flaw exposes millions to data breach risk

  • by
  • 4 min read

A major security flaw in Google’s ‘Sign in with Google’ authentication system has exposed millions of users to potential data theft, particularly those who have worked at startups that have since shuttered operations. The flaw, rooted in Google’s OAuth implementation, enables attackers to exploit domain ownership changes to access sensitive user accounts.

The vulnerability arises from how Google’s OAuth login system interacts with domain ownership. When a domain from a defunct company is purchased, the new owner can recreate email accounts associated with that domain. This gives them the ability to access services previously linked to those accounts, bypassing security measures.

A security researcher demonstrated the flaw by purchasing a defunct startup’s domain and successfully accessing accounts on platforms like ChatGPT, Slack, Notion, and HR systems. Sensitive information uncovered included social security numbers, tax documents, private communications, and candidate feedback from interview platforms.

“We appreciate Dylan Ayrey’s help identifying the risks stemming from customers forgetting to delete third-party SaaS services as part of turning down their operation. As a best practice, we recommend customers properly close out domains following these instructions to make this type of issue impossible. Additionally, we encourage third-party apps to follow best-practices by using the unique account identifiers (sub) to mitigate this risk,” a Google spokesperson told Candid.Technology.

Google OAuth chain. | Source: Truffle Security

The numbers highlight the gravity of the situation as:

  • Six million Americans are employed in tech startups.
  • About 90% of startups fail, leaving their domains vulnerable.
  • About 50% of startups rely on Google Workspaces for email and authentication.
  • Over 100,000 defunct startup domains are currently available for purchase.

Given these figures, the researcher estimates that more than 10 million sensitive user accounts could be at risk.

“If each failed startup averaged 10 employees over their lifetime and used 10 different SaaS services, we’re talking about accessing sensitive data from more than 10 million accounts,” says cyber security researcher Dylan Ayrey.

When users log in via Google OAuth, services rely on two key claims: email and hosted domain. If a service validates users based solely on these claims, acquiring a defunct domain allows attackers to replicate the same claims and gain access.

Although Google provides a ‘sub’ claim — a unique identifier for users — it has proven unreliable, with inconsistencies in 0.04% of logins. For large-scale systems, this margin is significant enough to undermine security.

The unique user identifier (the sub claim) is unreliable. | Source: Truffle Security

The researcher proposed a fix for Google: introducing immutable identifiers for both users and domains. Such a measure would prevent attackers from leveraging domain ownership changes to access accounts. However, Google initially dismissed the issue, classifying it as ‘Fraud and Abuse’ rather than a security vulnerability.

Later, Google acknowledged the problem and committed to addressing the issue. However, details about their planned solution remain unclear.

Platforms like Slack and Notion are unable to mitigate this vulnerability independently. They depend on Google’s OAuth claims and have no mechanism to verify domain ownership changes. This leaves millions of users exposed until Google implements a fix.

In addition to OAuth vulnerabilities, attackers could exploit old domains for password reset emails. While startups can mitigate this by enforcing SSO with two-factor authentication (2FA), the broader issue of OAuth-based account takeovers remains unaddressed.

The researcher has urged startups to disable password-based authentication and enforce 2FA. Service providers should require secondary verification for password resets. Employees should regularly review and remove access to accounts tied to their startup credentials.

“Google’s eventual re-engagement with this issue is promising, but until a fix is implemented, millions of Americans’ data and accounts remain vulnerable,” the researcher concluded.

16/01/25: The story was updated with Google’s statement

In the News: Microsoft Office ends support on Windows 10 on October 14

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>