- Buying domains from companies that go out of business could give them access to your SaaS accounts, research finds
- Google argues that it is not a vulnerability and that companies should make sure they do not leave sensitive information behind.
- Researchers propose additional safeguards
Experts have found a vulnerability in Google’s “Sign in with Google” OAuth feature that could allow malicious actors to access sensitive data belonging to companies that have gone out of business.
Google acknowledged the flaw, but isn’t doing much to fix it, rather saying it’s up to companies to ensure the security of the data they leave behind.
The vulnerability was first discovered by security researchers at Trufflesecurity, who reported it to Google in late September 2024. However, it wasn’t until after the company’s CEO and co-founder, Dylan Ayrey, raised the issue. at Shmoocon in December 2024 that Google reacted.
Google suggests mitigations
This is how it works, in theory:
A company signs up for a human resources service using its business email account and the “Sign in with Google” feature. Use the HR service for things like employee contracts, payments, and more. Some time later, the business closes and cancels the domain. After that, a malicious actor registers the same domain and recreates the same email address used to log in to the HR service.
They then proceed to log into the account on the human resources platform, where they can access all the information and files left behind.
Google gave Trufflesecurity a small reward, but decided not to pursue a solution: “We appreciate Dylan Ayrey’s help in identifying risks from customers forgetting to remove third-party SaaS services as part of opting out,” said a representative from Trufflesecurity. Google. beepcomputer.
“As a best practice, we recommend customers properly close domains by following these instructions to make this type of issue impossible. Additionally, we encourage third-party apps to follow best practices by using unique (sub) account identifiers to mitigate this risk.”
In other words, it’s up to companies to make sure they don’t leave residual data behind.
Ayrey notes that a quick look at Crunchbase turns up more than 100,000 domains that can be abused in this way. He suggested that Google introduce immutable identifiers, while SaaS providers add cross-referenced domain registration dates.
Through beepcomputer
