谷歌“使用谷歌登录”身份验证过程中的缺陷可能会泄露敏感用户数据

通过 Google 的“使用 Google 登录”身份验证过程的 OAuth（开放授权）中存在重大缺陷，可能会暴露敏感的用户数据。

A critical vulnerability in OAuth (Open Authorization) via Google's "Sign in with Google" authentication flow can lead to the exposure of sensitive user data. By exploiting a weakness related to domain ownership, attackers can gain unauthorized access to various applications, including critical SaaS platforms.

通过 Google 的“使用 Google 登录”身份验证流程的 OAuth（开放授权）中的一个严重漏洞可能会导致敏感用户数据的泄露。通过利用与域所有权相关的弱点，攻击者可以获得对各种应用程序的未经授权的访问，包括关键的 SaaS 平台。

Discovered by Truffle Security, the vulnerability stems from the ability to purchase domains of failed startups and re-create email accounts once used by former employees. While this doesn't allow access to previous email data, it does enable attackers to utilize these accounts to log in to SaaS products initially accessible with those credentials.

该漏洞由 Truffle Security 发现，源于购买失败初创公司的域名并重新创建前员工曾经使用过的电子邮件帐户的能力。虽然这不允许访问以前的电子邮件数据，但它确实使攻击者能够利用这些帐户登录最初可以使用这些凭据访问的 SaaS 产品。

Other compromised platforms include communication, project management, and even interview systems, exposing sensitive business and candidate data to exploitation.

其他受损平台包括通信、项目管理，甚至面试系统，从而使敏感的业务和候选人数据遭到利用。

Users can grant websites or applications access to their data from other services such as Google via OAuth without sharing passwords. When using the "Sign in with Google" feature, Google shares key user claims—like email and domain information—with third-party applications to authenticate users.

用户可以通过 OAuth 授予网站或应用程序从其他服务（例如 Google）访问其数据的权限，而无需共享密码。使用“使用 Google 登录”功能时，Google 会与第三方应用程序共享关键用户声明（例如电子邮件和域信息）以对用户进行身份验证。

Problems arise when apps rely solely on these claims for user authentication. If an organization ceases operations and its domain becomes available for purchase, attackers can acquire the domain, re-create email accounts, and use these to regain access to SaaS accounts tied to the defunct domain.

当应用程序仅依赖这些声明进行用户身份验证时，就会出现问题。如果组织停止运营并且其域可供购买，攻击者可以获取该域，重新创建电子邮件帐户，并使用这些帐户重新获得对与失效域关联的 SaaS 帐户的访问权限。

Furthermore, Google's OAuth ID tokens include a unique user identifier—the "sub claim"—that could technically mitigate this vulnerability. However, Truffle found this identifier unreliable in practice. In contrast, Microsoft Entra includes both "sub" and "oid" claims, ensuring an immutable user identifier to prevent such exploits.

此外，Google 的 OAuth ID 令牌包含一个唯一的用户标识符（“sub 声明”），可以从技术上缓解此漏洞。然而，Truffle 发现这个标识符在实践中并不可靠。相比之下，Microsoft Entra 包含“sub”和“oid”声明，确保用户标识符不可变以防止此类漏洞利用。

This vulnerability affects millions of users across widely adopted SaaS applications such as OpenAI ChatGPT, Slack, Notion, and Zoom. The potential compromise is particularly concerning for accounts linked to HR systems, exposing highly sensitive personal and financial information.

该漏洞影响 OpenAI ChatGPT、Slack、Notion 和 Zoom 等广泛采用的 SaaS 应用程序中的数百万用户。对于与人力资源系统关联的帐户来说，潜在的危害尤其令人担忧，从而暴露了高度敏感的个人和财务信息。

Google initially classified the flaw as "intended behavior" but re-opened the bug report on December 19, 2024, after further evaluation. The tech giant awarded Dylan Ayrey a bounty of $1,337 and has labeled the issue as an "abuse-related methodology with high impact."

谷歌最初将该缺陷归类为“预期行为”，但经过进一步评估后，于 2024 年 12 月 19 日重新开放了错误报告。这家科技巨头向 Dylan Ayrey 提供了 1,337 美元的赏金，并将该问题标记为“具有高影响力的滥用相关方法”。