Українська правда

Researcher was able to extract data from expired Google Workspace domains and says they pose a security risk

Researcher was able to extract data from expired Google Workspace domains and says they pose a security risk
Google-Workspace
0

Google Workspace and the OAuth authorization system for signing in with Google are very popular among startups and businesses. However, a new study has revealed a serious vulnerability that can occur if companies do not properly close their Google accounts before their domains expire and go up for sale, Ars Technica reports.

Dylan Airey, founder of cybersecurity company Truffle Security, has discovered a systemic issue that allows attackers to exploit expired domains associated with Google Workspace accounts. By purchasing an expired domain, Airy demonstrated the ability to reactivate Google accounts associated with that domain, which could provide access to third-party services connected via Google OAuth.

In his experiment, Airy purchased a domain previously used by a failed startup. Through re-activated accounts, he successfully gained access to services such as Slack, ChatGPT, Zoom, and HR platforms. He obtained sensitive data, including tax documents, interview details, and private messages, which highlights the privacy and security risks.

Google recognized the results of the study and emphasized the importance of following best practices when closing Workspace accounts. "We appreciate Dylan Ayrey’s help identifying the risks stemming from customers forgetting to delete third-party SaaS services," Google representative noted.

Despite these recommendations, Ayrey criticized the effectiveness of Google's security measures. The company initially dismissed the issue, classifying it as "planned behavior," but later reopened the case after the research gained attention. Google paid him a bug bounty of $1,337 and noted that the likelihood of exploitation was low, but it had a significant potential impact.

The main problem is related to Google's use of a unique user identifier, known as a "sub", in its OAuth system. This identifier is supposed to remain unchanged and serve as a key to verify users. However, Airy found that many third-party services did not implement or effectively use this field to prevent re-access to accounts. In his tests, all the services he tested failed to block access.

Airy proposed to add two new immutable identifiers to OpenID Connect: one associated with a user and another associated with a domain. As of January 14, Google has not yet responded to the proposal for possible changes or progress in this area.

This vulnerability is particularly alarming given the high rate of bankruptcy among startups that frequently use Google Workspace and other SaaS platforms. According to Airy, about 50% of startups rely on Workspace, and the rapid turnover of domains creates a significant pool of potential targets.

Although Airy's tests were mainly focused on startups, any organization that hasn't closed its Google accounts before selling a domain could be vulnerable. Despite Google's assurances that the sub field is a strong defense, the results of the study point to the need for better security.

Share:
Посилання скопійовано