A critical vulnerability in Google’s OAuth authentication system is leaving millions of accounts exposed, putting sensitive personal and business data at risk. This flaw, discovered by security researcher Dylan Ayrey, specifically impacts former employees of defunct startups whose domains are up for sale, enabling unauthorized access to various online accounts linked to those domains.

The problem lies in Google’s “Sign in with Google” feature, which is used to authenticate users across a wide range of online services, such as Slack, Zoom, Notion, and even HR systems. When a user logs in, Google sends a set of claims, including the user’s email address and hosted domain. However, these claims can be exploited if a hacker purchases the domain of a failed startup and recreates email accounts for former employees. Although the attacker cannot access the original email data, they can use the recreated accounts to gain entry to a variety of third-party services associated with the domain.

Scope of the Vulnerability

According to Ayrey, the vulnerability has far-reaching implications. He identified over 100,000 defunct startup domains available for purchase, with an estimated 10 million accounts at risk of being compromised. This includes access to sensitive information stored in services such as ChatGPT, Slack, Zoom, and HR platforms that contain personal data, social security numbers, tax documents, and even interview feedback. Notably, employee information on these platforms remains accessible through OAuth, as domain ownership changes do not trigger adequate security checks to prevent unauthorized access.

Why the ‘Sub’ Field Fails to Protect Users

Google’s OAuth system includes a “sub” field, which is intended to uniquely identify users and prevent account takeovers. However, Ayrey and other security experts have found that this identifier is unreliable. The inconsistency of the “sub” field makes it an insufficient safeguard, leaving many services dependent on the less secure “email” and “hosted domain” claims to authenticate users. This is where the flaw emerges—when a domain is bought by a third party, it inherits the same claims, thereby granting them access to accounts associated with the old employees.

Ayrey has proposed that Google introduce two immutable identifiers in its OpenID Connect (OIDC) claims: one for the user and another for the workspace tied to the domain. These changes would ensure that even if domain ownership changes, accounts remain securely protected.

Google’s Response and Mitigation Efforts

Initially, Google dismissed the vulnerability, stating it was “working as intended” and that the issue fell under “fraud and abuse” rather than OAuth/login concerns. However, after further investigation and Ayrey’s public exposure of the flaw at Shmoocon in December 2024, Google reopened the case and awarded Ayrey a $1,337 bug bounty.

In response to concerns, Google has updated its documentation, advising developers to use the "sub" field as a unique identifier when implementing OAuth and to avoid relying on email addresses. Despite these measures, many downstream service providers, such as Slack and Zoom, still lack effective defenses against the vulnerability without the proposed OIDC changes from Google.

Broader Security Concerns and Long-Term Impact

While Google’s update to its OAuth documentation is a step in the right direction, the vulnerability continues to expose a wide range of personal and business data. The lack of immutable identifiers means that even users who have been off-boarded from a startup have no control over the fate of their data in linked accounts.

This vulnerability also introduces risks beyond OAuth, such as the potential for password reset attacks, where an attacker could use an old email address to reset a user’s password for other services. Experts recommend that startups disable password-based authentication and enforce single sign-on (SSO) with two-factor authentication (2FA) to mitigate these risks.

Conclusion

Google’s OAuth vulnerability underscores a significant security gap in the authentication flow, with serious implications for millions of users, particularly those who were once employed by startups that have since shut down. While the company is aware of the issue and has started to address it, the absence of a fix leaves sensitive data exposed. Until Google implements a more robust solution—such as the addition of immutable identifiers—the risk of unauthorized access will continue to threaten the security of millions of accounts.