Dylan Ayrey, a security researcher and co-founder of Truffle Security, has discovered a significant vulnerability in Google’s “Sign in with Google” authentication system. This flaw puts the personal data of employees at failed startups at risk of being stolen. When a startup shuts down, its domain often goes up for sale.
If the company fails to properly close its Google accounts, malicious hackers can purchase the defunct domain and use it to log into various cloud software apps that the former employees had access to. Ayrey demonstrated this by buying a failed startup’s domain. He was able to log into ChatGPT, Slack, Notion, Zoom, and an HR system containing sensitive information like Social Security numbers.
“That’s probably the biggest threat,” Ayrey said, as the data from a cloud HR system is “the easiest they can monetize.”
Startup employees are particularly vulnerable to this issue because startups tend to rely heavily on Google’s apps and cloud software.
Google OAuth vulnerability jeopardizes failed startups
Ayrey estimates that tens of thousands of former employees and millions of SaaS software accounts are at risk, based on his research that found 116,000 website domains currently available for sale from failed tech startups.
Google does have a technology called a “sub-identifier” that should prevent these risks if used by the SaaS cloud provider. However, an affected HR provider discovered that this identifier was unreliable in a small percentage of cases, leading to hundreds of failed logins each week. Initially, Google dismissed Ayrey’s bug report, but later changed its mind and paid him a $1,337 bounty.
The company has updated its documentation to advise cloud providers on how to properly shut down Google Workspace to prevent the problem, but has not yet issued a technical fix or timeline for addressing the issue. Ayrey understands the challenges founders face when shutting down a company, acknowledging that they may not be in the best headspace to think about all the necessary steps. Ultimately, the responsibility falls on founders to ensure that all cloud services are properly closed to protect their former employees’ data.
