Identity

Google Workspace Issue Results In Passwordless Takeovers Of Expired Domains

Closeup Google app with Google Workspace apps (Gmail, Google Calendar, Docs etc) on iPhone.

SC Media reports that millions of online service provider accounts created by employees of now-defunct startups could be subjected to passwordless takeovers through the exploitation of the firm's expired domains and Google Workspace's single sign-on functionality.

Speaking at the ShmooCon conference, Dylan Ayrey, a researcher at Truffle Security, said takeovers facilitated by the purchase of dormant domains are not only possible with Cloudflare, Zoom, Slack, and ChatGPT accounts, but also those for HR software platform Gusto, workplace management platform Asana, and productivity software Notion.

"The most eye-opening were probably HR systems, which allowed you to log in and see the W-2's and Social Security numbers and bank routing numbers of old employees," said Ayrey.

This recent news prompted Google to update its SSO, OpenIDConnect, and OAuth guidance. Google recently made the following statement:

"When implementing your account management system, you shouldn't use the email field in the ID token as a unique identifier for a user. Always use the sub field as it is unique to a Google Account even if the user changes their email address."

An In-Depth Guide to Identity

Get essential knowledge and practical strategies to fortify your identity security.

You can skip this ad in 5 seconds

Cookies

This website uses cookies to improve your experience, provide social media features and deliver advertising offers that are relevant to you.

If you continue without changing your settings, you consent to our use of cookies in accordance with our privacy policy. You may disable cookies.