Security firm explains how a flaw in Google's OAuth authentication can be exploited to pose as someone else
Security firm Truffle Security has reported a flaw in Google's
Millions of Accounts Vulnerable due to Google's OAuth Flaw ◆ Truffle Security Co.
https://trufflesecurity.com/blog/millions-at-risk-due-to-google-s-oauth-flaw
To verify the flaws, Truffle Security actually purchased the domain of one of the bankrupt companies and demonstrated that they were able to access the accounts of former employees of various SaaS services used by the company, including ChatGPT, Slack, Notion, Zoom, and the HR system. The HR system was particularly serious, as it contained sensitive information such as social security numbers, pay stubs, and insurance information.
Truffle Security points out that the root cause is Google's user authentication system. The current authentication system uses email addresses and domain names as the main identifiers, and when a new domain owner creates a Google Workspace account with the same domain, it provides the same authentication information as the previous owner, allowing access to the old account. In addition, Google provides a claim called subject (sub) as a unique identifier, but Truffle Security claims that it is subject to change very rarely and therefore cannot be trusted as an identifier.
According to Truffle Security, at the time of writing, approximately 6 million Americans work for technology startups, 90% of which ultimately fail, and 50% of which use Google Workspace, so millions of accounts are at potential risk. Truffle Security's research also found that more than 100,000 domains were available for purchase from bankrupt startups, warning that the impact of this problem is extremely large.
Truffle Security reported the issue to Google's security team, but it was initially rejected as 'intended behavior.' However, after Truffle Security decided to give a talk about the issue at a security event, Google changed its policy and offered a $1,337 reward to work on a fix.
To solve this problem, Truffle Security proposes the introduction of two new identifiers: a unique, unchanging user ID and a unique, unchanging workspace ID tied to a domain. With these identifiers, Truffle Security says service providers can reliably distinguish between old and new accounts and prevent unauthorized access.
As an interim solution to this problem, Truffle Security suggested that startups disable password-based authentication and enforce single sign-on and two-factor authentication, and that service providers require additional authentication when resetting a password, such as an SMS code or credit card verification.
On the social news site Hacker News , some people said that it was inappropriate to think of this as a flaw in Google's OAuth authentication, and that it was a fundamental problem with authentication based on domain ownership. Truffle Security also said that 'sub claims cannot be trusted,' but that the problem could be prevented by using these sub claims appropriately. In any case, many people on HackerNews took the view that 'rather than a technical flaw, this is an issue that shows the limitations of domain-based authentication and the need to manage domains and personal information after bankruptcy.'
Related Posts:
in Web Service, Security, Posted by log1i_yk