- Buying domains from companies that are shutting down can provide access to their SaaS accounts, research shows
- Google claims that it is not a vulnerability and that companies should ensure that they do not leave sensitive information behind
- Researchers suggest additional safety measures
Experts have found a vulnerability in Google’s OAuth feature “Sign in with Google” that could allow malicious actors to access sensitive data belonging to businesses that have shut down.
Google acknowledged the bug but is not doing much to fix it, instead saying it’s up to companies to ensure the security of the data they leave behind.
The vulnerability was first discovered by security researchers from Trufflesecurity, who reported it to Google in late September 2024. However, it was only after the company’s CEO and co-founder, Dylan Ayrey, presented the problem at Shmoocon in December 2024 that Google responded.
Google suggests restrictions
This is how it works in theory:
A company signs up for an HR service using its company email account and the “Sign in with Google” feature. It uses the HR service for things like employee contracts, payments and more. Some time later, the company shuts down and terminates the domain. Then, a malicious actor registers the same domain and recreates the same email address that was used to log into the HR service.
They then proceed to log into the account on the HR platform where they can access all the information and files left behind.
Google awarded Trufflesecurity a small bounty but decided not to pursue a solution: “We appreciate Dylan Ayrey’s help in identifying the risks stemming from customers forgetting to delete third-party SaaS services as part of scaling down their operation,” a Google representative told. Bleeping Computer.
“As a best practice, we recommend that customers properly close domains by following these instructions to make this type of issue impossible. In addition, we encourage third-party apps to follow the best practice of using the unique account IDs (below) to mitigate this risk.”
In other words, it is up to the companies to ensure that they do not leave behind any residual data.
Ayrey notes that a quick look through Crunchbase returns more than 100,000 domains that can be abused in this way. He suggested that Google introduce immutable identifiers while SaaS providers add cross-reference dates for domain registration.
Via Bleeping Computer
