Summary: Recent research reveals a vulnerability in Google’s “Sign in with Google” authentication that allows unauthorized access to sensitive data by exploiting domain ownership changes. This flaw could potentially endanger millions of users’ data linked to defunct startups.
Threat Actor: Unknown | unknown
Victim: Millions of users | millions of users
Key Point :
- The vulnerability allows attackers to access accounts of former employees by purchasing defunct domains.
- Sensitive information at risk includes HR documents, tax information, and candidate feedback.
- Google’s OAuth ID token has been found unreliable in preventing this issue.
- Google initially dismissed the vulnerability but later reopened the bug report and awarded a bounty.
- Downstream software providers currently have no means to protect against this vulnerability.
Source: https://thehackernews.com/2025/01/google-oauth-vulnerability-exposes.html