Dylan Ayrey, a security researcher, recently uncovered a vulnerability in Google OAuth that could allow cybercriminals to infiltrate cloud software applications through the "Sign in with Google" feature. This discovery has significant implications for former employees of failed startups, whose personal data may be at risk. The flaw centers around a sub-identifier meant to be unique for each Google account. However, Ayrey's research found it to be unreliable, altering in about 0.04% of cases.
The repercussions of this flaw are widespread, affecting numerous failed login attempts weekly for an HR provider managing vast numbers of users daily. The sub-identifier plays a crucial role in identifying users when they access cloud software accounts via OAuth. Initially, Google dismissed this issue as merely a "fraud" problem. However, after further investigation, the tech giant reopened the case and awarded Ayrey a $1,337 bounty for his findings.
Ayrey's discovery revealed that tens of thousands of former employees and millions of software-as-a-service (SaaS) accounts face potential risk due to this oversight. During his research, he managed to gain access to various platforms, including ChatGPT, Slack, Notion, Zoom, and an HR system housing sensitive data like Social Security numbers, using a domain belonging to a failed startup.
Despite the severity of the flaw, Google has yet to implement a technical fix or announce when it might address the issue. The company disputes Ayrey's findings that the sub-identifier changes in any cases, although his research indicates otherwise. In response to the vulnerability, Google provides instructions to founders on correctly shutting down Google Workspace to mitigate the problem.
The situation is exacerbated by the availability of approximately 116,000 website domains from failed tech startups currently up for sale, making them prime targets for exploitation. Ayrey stumbled upon this flaw while preparing a talk on another Google OAuth vulnerability he planned to present at the ShmooCon security conference.
Ayrey's work, alongside his bug-finding partner Allison Donovan, earned them third prize in Google's annual security researcher awards and a $73,331 reward. According to Ayrey, the most significant threat lies in data held by cloud HR systems due to its sensitive nature.
"We appreciate Dylan Ayrey’s help identifying the risks stemming from customers forgetting to delete third-party SaaS services as part of turning down their operation." – Google spokesperson
Google's OAuth configuration is built with technology that should theoretically prevent the risks Ayrey highlighted. However, this safeguard requires SaaS cloud providers to adopt specific configurations actively. Ayrey emphasizes that when founders are tasked with shutting down their companies, they might not be in the right mindset to consider all necessary steps comprehensively.
"When the founder has to deal with shutting the company down, they’re probably not in a great head space to be able to think about all the things they need to be thinking about." – Dylan Ayrey
Leave a Reply