A Flaw in Google's "Sign in with Google" Authentication Process Could Expose Sensitive User Data

A significant flaw within OAuth (Open Authorization) via Google's "Sign in with Google" authentication process could expose sensitive user data.

A critical vulnerability in OAuth (Open Authorization) via Google's "Sign in with Google" authentication flow can lead to the exposure of sensitive user data. By exploiting a weakness related to domain ownership, attackers can gain unauthorized access to various applications, including critical SaaS platforms.

Discovered by Truffle Security, the vulnerability stems from the ability to purchase domains of failed startups and re-create email accounts once used by former employees. While this doesn't allow access to previous email data, it does enable attackers to utilize these accounts to log in to SaaS products initially accessible with those credentials.

Other compromised platforms include communication, project management, and even interview systems, exposing sensitive business and candidate data to exploitation.

Users can grant websites or applications access to their data from other services such as Google via OAuth without sharing passwords. When using the "Sign in with Google" feature, Google shares key user claims—like email and domain information—with third-party applications to authenticate users.

Problems arise when apps rely solely on these claims for user authentication. If an organization ceases operations and its domain becomes available for purchase, attackers can acquire the domain, re-create email accounts, and use these to regain access to SaaS accounts tied to the defunct domain.

Furthermore, Google's OAuth ID tokens include a unique user identifier—the "sub claim"—that could technically mitigate this vulnerability. However, Truffle found this identifier unreliable in practice. In contrast, Microsoft Entra includes both "sub" and "oid" claims, ensuring an immutable user identifier to prevent such exploits.

This vulnerability affects millions of users across widely adopted SaaS applications such as OpenAI ChatGPT, Slack, Notion, and Zoom. The potential compromise is particularly concerning for accounts linked to HR systems, exposing highly sensitive personal and financial information.

Google initially classified the flaw as "intended behavior" but re-opened the bug report on December 19, 2024, after further evaluation. The tech giant awarded Dylan Ayrey a bounty of $1,337 and has labeled the issue as an "abuse-related methodology with high impact."