A vulnerability in Google’s OAuth implementation can be abused to take over the accounts of former employees of failed startups by purchasing their domains, according to a report from secrets scanning firm Truffle Security.

The issue is relatively straightforward: when purchasing a failed startup’s domain, anyone can re-create old employee e-mail accounts and use them to access the different SaaS products the startup used.

While re-creating an old employee e-mail account does not provide access to the data stored by Google, it could grant access to data stored on services such as Slack, Zoom, ChatGPT, and others, on HR systems and interview platforms, and to direct messages on chat platforms.

Purchasing such a domain and accessing these services could expose sensitive personal information, internal information, and other sensitive data, Truffle Security co-founder and CEO Dylan Ayrey warned.

Ayrey documented the discovery of more than 100,000 domains belonging to failed startups currently on sale, and suggests that approximately 10 million accounts potentially containing sensitive data may be at risk.

The underlying problem is that, when using ‘Sign in with Google’ to log in to a service, a set of claims about the user, including the hosted domain and user’s email address, is sent, so that the service provider can determine if the user should log in.

“Here’s the issue: if a service (e.g., Slack) relies solely on these two claims, ownership changes to the domain won’t look any different to Slack. When someone buys the domain of a defunct company, they inherit the same claims, granting them access to old employee accounts,” Ayrey explained.

Responding to a SecurityWeek inquiry, a Google spokesperson pointed out that any data leaks that may occur in this situation is the result of data not being erased by the startups when shutting down operations.

“We appreciate Dylan Ayrey’s help identifying the risks stemming from customers forgetting to delete third-party SaaS services as part of turning down their operation,” Google’s representative said.

“As a best practice, we recommend customers properly close out domains following these instructions to make this type of issue impossible. Additionally, we encourage third-party apps to follow best-practices by using the unique account identifiers (sub) to mitigate this risk,” the spokesperson added.

To protect against these risks, downstream providers have levers in place, such as a unique account identifier (sub) filed within their applications, and unique-identifier keys per user, so that specific data is not accessible to other entities.

According to Ayrey, however, the ‘sub’ claim is inconsistent and unreliable, and cannot be used to uniquely identify users, meaning that services mainly rely on the ‘email’ and ‘hosted domain’ claims to identify users.

Ayrey proposes the implementation of two immutable identifiers within Google’s OpenID Connect (OIDC) claims, namely a unique user ID and a unique workspace ID tied to the domain, saying that downstream providers cannot protect user data without them.

The researcher reported the issue to Google in late September 2024 and was initially informed that this was intended behavior. In December, however, the internet giant re-opened the ticket and paid a $1,337 bug bounty reward, notifying Ayrey that a fix was in the works.

Related: PayPal Phishing Campaign Using Genuine Links to Hijack Accounts

Related: AWS Patches Vulnerabilities Potentially Allowing Account Takeovers

Related: State AGs Demand Meta Take ‘Immediate Action’ on User Account Takeovers

Related: VirusTotal Provides Clarifications on Data Leak Affecting Premium Accounts