Reports from cybersecurity firms or major news outlets

Google OAuth Flaw Exposes 6 Million Americans via Defunct Domains

Jan 16, 2025, 06:07 AM

A critical vulnerability in Google's OAuth authentication system has exposed millions of accounts to potential compromise. The flaw allows attackers to exploit defunct domains of failed startups to recreate email accounts of former employees. Using these accounts, attackers can gain unauthorized access to various SaaS platforms, including HR systems, communication tools, and other sensitive services. The vulnerability affects approximately 6 million Americans, particularly those who have worked for startups. The issue stems from Google's reliance on domain ownership for authentication, which does not account for domain ownership changes. Google initially classified the issue as 'working as intended' before reopening the case, paying a bounty for the disclosure, and acknowledging the need for a fix. Security experts have proposed the addition of immutable identifiers to Google's OpenID Connect claims to address the flaw. However, the vulnerability remains unresolved, leaving millions of accounts at risk.