A critical flaw in Google's OAuth authentication system, a way for users to grant third-party applications access to their Google account information without sharing their password, has left millions of user accounts vulnerable to potential data theft, according to a recent report by Truffle security, an open-source security project.

The issue, rooted in how Google handles domain ownership in its "Sign in with Google" flow, enables bad actors to exploit defunct domains from failed startups to gain unauthorised access to sensitive data.

The vulnerability arises when a malicious party purchases a dormant domain of a failed company and recreates email accounts previously linked to it. Although they cannot retrieve past email correspondence, these reconstructed accounts can be used to log into various third-party services, including SaaS platforms like ChatGPT, Slack, Notion, Zoom, and HR systems. This exposes sensitive information, such as social security numbers, tax documents, and private communications, according to the report.

The scale of the problem is vast as startups form a significant part of the US economy, with 6 million Americans working for them. However, with 90% of startups eventually failing and half relying on Google Workspace, the risks multiply. An analysis of available domains suggests that over 10 million accounts tied to failed startups could be compromised, posing a significant security challenge, as per the report.

The flaw lies in Google's reliance on two OAuth claims: the hosted domain (hd) and email address. These claims are used by downstream service providers to authenticate users. When domain ownership changes, the system fails to distinguish between legitimate users and those exploiting the acquired domain. While a "sub claim" (a unique identifier) is theoretically available, its inconsistencies make it unreliable in practice, the report states.

Dylan Ayrey, the author of the report, who demonstrated the vulnerability reported it to Google in September 2024, proposing fixes such as introducing immutable identifiers for users and workspaces in Google's OpenID Connect claims. Initially dismissed as a "fraud and abuse" issue, the report was reopened on 19 December 2024 following public attention and a security conference presentation. Google has since acknowledged the issue, awarding a $1,337 bounty, and indicated plans to develop a fix, though specifics remain undisclosed.

For now, downstream providers and individual users remain largely unprotected against this vulnerability. Startups are advised by Dylan Ayrey to disable password-based authentication, enforce single sign-on (SSO) with two-factor authentication, and implement additional verification steps for password resets. However, these measures only address secondary risks and do not resolve the fundamental issue of OAuth-based domain exploits.

Google's eventual response signals progress, but until robust solutions are in place, millions of accounts remain exposed, highlighting the urgent need for stronger security protocols in authentication systems.