谷歌「使用谷歌登入」身份驗證過程中的缺陷可能會洩露敏感用戶數據

透過 Google 的「使用 Google 登入」驗證流程的 OAuth（開放授權）中存在重大缺陷，可能會暴露敏感的使用者資料。

A critical vulnerability in OAuth (Open Authorization) via Google's "Sign in with Google" authentication flow can lead to the exposure of sensitive user data. By exploiting a weakness related to domain ownership, attackers can gain unauthorized access to various applications, including critical SaaS platforms.

透過 Google 的「使用 Google 登入」驗證流程的 OAuth（開放授權）中的一個嚴重漏洞可能會導致敏感使用者資料的洩漏。透過利用與網域所有權相關的弱點，攻擊者可以獲得對各種應用程式的未經授權的訪問，包括關鍵的 SaaS 平台。

Discovered by Truffle Security, the vulnerability stems from the ability to purchase domains of failed startups and re-create email accounts once used by former employees. While this doesn't allow access to previous email data, it does enable attackers to utilize these accounts to log in to SaaS products initially accessible with those credentials.

該漏洞由 Truffle Security 發現，源於購買失敗新創公司的網域名稱並重新創建前員工曾經使用過的電子郵件帳戶的能力。雖然這不允許存取先前的電子郵件數據，但它確實使攻擊者能夠利用這些帳戶登入最初可以使用這些憑證存取的 SaaS 產品。

Other compromised platforms include communication, project management, and even interview systems, exposing sensitive business and candidate data to exploitation.

其他受損平台包括通訊、專案管理，甚至面試系統，使敏感的業務和候選人資料遭到利用。

Users can grant websites or applications access to their data from other services such as Google via OAuth without sharing passwords. When using the "Sign in with Google" feature, Google shares key user claims—like email and domain information—with third-party applications to authenticate users.

使用者可以透過 OAuth 授予網站或應用程式從其他服務（例如 Google）存取其資料的權限，而無需共用密碼。使用「使用 Google 登入」功能時，Google 會與第三方應用程式共用關鍵使用者聲明（例如電子郵件和網域資訊）以對使用者進行身份驗證。

Problems arise when apps rely solely on these claims for user authentication. If an organization ceases operations and its domain becomes available for purchase, attackers can acquire the domain, re-create email accounts, and use these to regain access to SaaS accounts tied to the defunct domain.

當應用程式僅依賴這些聲明進行使用者身份驗證時，就會出現問題。如果組織停止運作並且其網域可供購買，攻擊者可以獲得該網域，重新建立電子郵件帳戶，並使用這些帳戶重新獲得與失效網域綁定的 SaaS 帳戶的存取權。

Furthermore, Google's OAuth ID tokens include a unique user identifier—the "sub claim"—that could technically mitigate this vulnerability. However, Truffle found this identifier unreliable in practice. In contrast, Microsoft Entra includes both "sub" and "oid" claims, ensuring an immutable user identifier to prevent such exploits.

此外，Google 的 OAuth ID 令牌包含一個唯一的使用者識別碼（「sub 聲明」），可從技術上緩解此漏洞。然而，Truffle 發現這個標識符在實務上並不可靠。相較之下，Microsoft Entra 包含「sub」和「oid」聲明，確保使用者識別碼不可變以防止此類漏洞利用。

This vulnerability affects millions of users across widely adopted SaaS applications such as OpenAI ChatGPT, Slack, Notion, and Zoom. The potential compromise is particularly concerning for accounts linked to HR systems, exposing highly sensitive personal and financial information.

該漏洞影響 OpenAI ChatGPT、Slack、Notion 和 Zoom 等廣泛採用的 SaaS 應用程式中的數百萬用戶。對於與人力資源系統關聯的帳戶來說，潛在的危害尤其令人擔憂，從而暴露了高度敏感的個人和財務資訊。

Google initially classified the flaw as "intended behavior" but re-opened the bug report on December 19, 2024, after further evaluation. The tech giant awarded Dylan Ayrey a bounty of $1,337 and has labeled the issue as an "abuse-related methodology with high impact."

谷歌最初將該缺陷歸類為“預期行為”，但經過進一步評估後，於 2024 年 12 月 19 日重新開放了錯誤報告。這家科技巨頭向 Dylan Ayrey 提供了 1,337 美元的賞金，並將該問題標記為「具有高影響力的濫用相關方法」。