Dylan Ayrey, co-founder and CEO of Truffle Security, has discovered a security flaw that puts employees of failed startups at risk of having their personal data stolen. The issue centers around Google OAuth, the technology behind “Sign in with Google” that allows users to log in to various services without a password. Ayrey found that if malicious hackers purchased the defunct domains of a failed startup, they could use them to log in to various cloud software configured to allow every employee in the company to have access.
This includes company chat or video apps where hackers could discover former employees’ actual emails. With the domain and these emails, hackers could exploit the “Sign in with Google” option to access numerous cloud apps, potentially unearthing more employee emails and data. Ayrey tested this vulnerability by buying a failed startup’s domain and was able to log in to ChatGPT, Slack, Notion, Zoom, and an HR system containing Social Security numbers.
The biggest threat is the data from a cloud HR system,” Ayrey noted, adding that this data is “the easiest to monetize.” He emphasized that old Gmail accounts or Google Docs created by employees are not at risk, a point confirmed by Google. Startups are particularly vulnerable because they often rely heavily on Google apps and cloud software. Ayrey estimates that tens of thousands of former employees are at risk, as well as millions of SaaS software accounts.
He based this figure on research showing 116,000 domains from failed tech startups currently available for sale. Google does have technical measures in its OAuth configuration intended to prevent these risks, if the SaaS cloud provider uses them.
Google OAuth exposes startup data risk
This includes a “sub-identifier,” a unique series of numbers for each Google account. However, Ayrey discovered that this identifier could be unreliable in a very small percentage of cases. Initially, Google dismissed Ayrey’s discovery as a “fraud” issue rather than a bug.
However, after Ayrey’s presentation at ShmooCon, Google reopened the ticket and awarded him a $1,337 bounty. This mirrors a similar incident in 2021 when Google reopened a ticket post Ayrey’s talk at the Black Hat cybersecurity conference. Google has not yet issued a technical fix for the flaw, nor provided a timeline for one.
Meanwhile, the company has updated its guidelines for cloud providers to use the sub-identifier. Google also offers advice to founders on properly shutting down Google Workspace and preventing such problems. We appreciate Dylan Ayrey’s help identifying the risks stemming from customers forgetting to delete third-party SaaS services as part of turning down their operation,” a Google spokesperson stated.
Ayrey, himself a founder, understands that shutting down a company is a complex process during what can be an emotionally trying time. “When the founder has to deal with shutting the company down, they’re probably not in a great head space to be able to think about all the things they need to be thinking about,” Ayrey added.
