San Francisco, January 15, 2025 —A Google OAuth vulnerability lets attackers exploit old domains to access sensitive SaaS accounts, putting millions of users at risk.
A stunning Google OAuth vulnerability has exposed millions of accounts to potential exploitation through recycled domains from failed startups. Security firm Truffle Security uncovered how attackers could purchase defunct startup domains, recreate old employee emails, and access sensitive SaaS accounts, including HR systems and platforms like Slack, Zoom, and ChatGPT.
Dylan Ayrey, CEO of Truffle Security warned:
This isn’t just a technical flaw; it’s a loophole that puts personal data, including tax and social security information, at risk.
Google OAuth’s weakness lies in its failure to guard against changes in domain ownership. Attackers exploiting this could access systems using outdated employee credentials, exposing everything from internal feedback to confidential HR data.
The exploit even bypassed OAuth’s intended safeguards, highlighting a serious gap in how modern authentication is handled. In response, Google called the issue “intended behavior” but reopened the case in late 2024 after public outcry, awarding Ayrey a $1,337 bounty.
Google’s spokesperson recommended that companies adopt stringent off-boarding practices and properly close accounts to mitigate such risks. Ayrey emphasized:
Without immutable user identifiers, domain changes will keep leaving sensitive systems vulnerable.
This flaw isn’t just a wake-up call for startups but a loud alarm for all Google OAuth users. As companies increasingly rely on single sign-on systems, ensuring robust security has never been more critical.
Other News At VPNRanks
Hey, wait!
Stay informed on the latest privacy updates, cybersecurity insights, and internet freedom news by following VPNRanks news daily! As your primary resource for critical updates in online security, we ensure you’re always in the know. Make VPNRanks your go-to guide for safeguarding your digital life.
