- Purchasing domains from companies that have gone out of business could give access to their SaaS accounts, study finds
- Google says this is not a vulnerability and that companies need to make sure they don’t leave sensitive information behind.
- Researchers offer additional guarantees
Experts have discovered a vulnerability in Google’s “Sign in with Google” OAuth feature that could allow bad actors to access sensitive data belonging to companies that have gone out of business.
Google has acknowledged the flaw, but is doing little to address it, instead saying it’s up to companies to ensure the security of the data they leave behind.
The vulnerability was first discovered by security researchers at Trufflesecurity, who reported it to Google in late September 2024. However, it was not until after the company’s CEO and co-founder, Dylan Ayrey, presented the issue to Shmoocon in December 2024 which Google responded to.
Google suggests mitigation measures
Here’s how it works, in theory:
A business signs up for an HR service using their business email account and the “Sign in with Google” feature. It uses the HR department for things like employee contracts, payments, etc. Some time later, the company closed its doors and terminated the domain. After that, a malicious actor registers the same domain and recreates the same email address used to log in to the HR department.
They then log in to the account on the HR platform, where they can access all the information and files left behind.
Google gave Trufflesecurity a small bounty, but decided not to pursue a solution: “We appreciate Dylan Ayrey’s help in identifying the risks of customers forgetting to remove third-party SaaS services as part of the opt-out of their activity,” said a Google representative. BeepComputer.
“As a best practice, we recommend that customers properly close domains by following these instructions to make this type of issue impossible. Additionally, we encourage third-party applications to follow best practices in using unique (sub)account identifiers to mitigate this risk.
In other words, it’s up to businesses to ensure they don’t leave residual data behind.
Ayrey notes that a quick glance at Crunchbase returns more than 100,000 domains that could be abused in this way. He suggested Google introduce immutable identifiers, while SaaS providers add cross-referenced domain registration dates.
Via BeepComputer
