Market Cap: $2.6828T -1.450%
Volume(24h): $129.8872B 65.260%
  • Market Cap: $2.6828T -1.450%
  • Volume(24h): $129.8872B 65.260%
  • Fear & Greed Index:
  • Market Cap: $2.6828T -1.450%
Cryptos
Topics
Cryptospedia
News
CryptosTopics
Videos
Top News
Cryptos
Topics
Cryptospedia
News
CryptosTopics
Videos
bitcoin
bitcoin

$83571.608249 USD

-1.38%

ethereum
ethereum

$1826.028236 USD

-3.02%

tether
tether

$0.999839 USD

-0.01%

xrp
xrp

$2.053149 USD

-2.48%

bnb
bnb

$601.140115 USD

-0.44%

solana
solana

$120.357332 USD

-3.79%

usd-coin
usd-coin

$0.999833 USD

-0.02%

dogecoin
dogecoin

$0.166175 USD

-3.43%

cardano
cardano

$0.652521 USD

-3.00%

tron
tron

$0.236809 USD

-0.59%

toncoin
toncoin

$3.785339 USD

-5.02%

chainlink
chainlink

$13.253231 USD

-3.91%

unus-sed-leo
unus-sed-leo

$9.397427 USD

-0.19%

stellar
stellar

$0.266444 USD

-1.00%

sui
sui

$2.409007 USD

1.15%

Cryptocurrency News Articles

A Flaw in Google's "Sign in with Google" Authentication Process Could Expose Sensitive User Data

Jan 15, 2025 at 09:04 pm

A significant flaw within OAuth (Open Authorization) via Google's "Sign in with Google" authentication process could expose sensitive user data.

A Flaw in Google's "Sign in with Google" Authentication Process Could Expose Sensitive User Data

A critical vulnerability in OAuth (Open Authorization) via Google's "Sign in with Google" authentication flow can lead to the exposure of sensitive user data. By exploiting a weakness related to domain ownership, attackers can gain unauthorized access to various applications, including critical SaaS platforms.

Discovered by Truffle Security, the vulnerability stems from the ability to purchase domains of failed startups and re-create email accounts once used by former employees. While this doesn't allow access to previous email data, it does enable attackers to utilize these accounts to log in to SaaS products initially accessible with those credentials.

Other compromised platforms include communication, project management, and even interview systems, exposing sensitive business and candidate data to exploitation.

Users can grant websites or applications access to their data from other services such as Google via OAuth without sharing passwords. When using the "Sign in with Google" feature, Google shares key user claims—like email and domain information—with third-party applications to authenticate users.

Problems arise when apps rely solely on these claims for user authentication. If an organization ceases operations and its domain becomes available for purchase, attackers can acquire the domain, re-create email accounts, and use these to regain access to SaaS accounts tied to the defunct domain.

Furthermore, Google's OAuth ID tokens include a unique user identifier—the "sub claim"—that could technically mitigate this vulnerability. However, Truffle found this identifier unreliable in practice. In contrast, Microsoft Entra includes both "sub" and "oid" claims, ensuring an immutable user identifier to prevent such exploits.

This vulnerability affects millions of users across widely adopted SaaS applications such as OpenAI ChatGPT, Slack, Notion, and Zoom. The potential compromise is particularly concerning for accounts linked to HR systems, exposing highly sensitive personal and financial information.

Google initially classified the flaw as "intended behavior" but re-opened the bug report on December 19, 2024, after further evaluation. The tech giant awarded Dylan Ayrey a bounty of $1,337 and has labeled the issue as an "abuse-related methodology with high impact."

Disclaimer:info@kdj.com

The information provided is not trading advice. kdj.com does not assume any responsibility for any investments made based on the information provided in this article. Cryptocurrencies are highly volatile and it is highly recommended that you invest with caution after thorough research!

If you believe that the content used on this website infringes your copyright, please contact us immediately (info@kdj.com) and we will delete it promptly.

Other articles published on Apr 03, 2025