SC Media reports that millions of online service provider accounts created by employees of now-defunct startups could be subjected to passwordless takeovers through the exploitation of the firm's expired domains and Google Workspace's single sign-on functionality.
Speaking at the ShmooCon conference, Dylan Ayrey, a researcher at Truffle Security, said takeovers facilitated by the purchase of dormant domains are not only possible with Cloudflare, Zoom, Slack, and ChatGPT accounts, but also those for HR software platform Gusto, workplace management platform Asana, and productivity software Notion.
"The most eye-opening were probably HR systems, which allowed you to log in and see the W-2's and Social Security numbers and bank routing numbers of old employees," said Ayrey.
This recent news prompted Google to update its SSO, OpenIDConnect, and OAuth guidance. Google recently made the following statement:
"When implementing your account management system, you shouldn't use the email field in the ID token as a unique identifier for a user. Always use the sub field as it is unique to a Google Account even if the user changes their email address."
