Error in Google OAuth: Data of employees of failed start-ups at risk

Google's OAuth login apparently puts the personal data of ex-employees of failed start-ups that used Google Workspace at risk. The co-founder of the IT security company Truffle describes this in a blog post: Anyone who buys the domain of such a company can use Google's OAuth to access old employee accounts for services integrated into Google Workspace such as Slack, ChatGPT, Notion, Zoom or human resources platforms. Sensitive data is often stored on HR platforms in particular. Apparently, all you have to do is recreate the email account of an ex-employee on the domain.

Access to the platforms via Google's OAuth login works because the service in question, such as Slack, uses specific identifiers to decide whether to log in when an attempt is made to log in.

For example, the rule "All accounts on @failedstartup.com can access the failed startup's Slack" could apply. If this is the only rule that Slack uses to confirm or reject the login, a new domain owner with the newly created email address of an ex-employee can simply access all Slack channels to which the employee had access.

Proposed solution: unique identifiers

According to the blog post, the problem could be solved if Google included two unchangeable, unique identifiers in the OpenID Connect attributes of its OAuth implementation: a unique user ID that never changes and a unique workspace ID tied to the domain.

Google initially responded to the report of the issue, including a proposed solution, via Google's Security Vulnerability Disclosure Program with the statement that they would not solve the problem. Three months later, on December 19, 2024, Google reopened the ticket and paid a bug bounty to the author. However, a fix is still pending.

According to the blog post, neither the providers of the platforms nor the ex-employees of a failed company have any means of protecting their data against exploitation of the OAuth gap until then.

(kst)