Google OAuth Vulnerability Exposes Sensitive Data Through Defunct Domain Exploitation

• Attackers who re-create email accounts of repurchased inactive domains can use the OAuth function to gain access to connected SaaS accounts.
• Potentially compromised services include communication, project management, and even interview systems.
• The flaw could impact SaaS applications like OpenAI ChatGPT, Slack, Notion, and Zoom.

A significant flaw within OAuth (Open Authorization) via Google's "Sign in with Google" authentication process could expose sensitive user data. Exploiting a vulnerability related to domain ownership, attackers could gain unauthorized access to various apps, including critical SaaS platforms.

According to Truffle Security, the vulnerability stems from the ability to purchase domains of failed startups and re-create email accounts once used by former employees. 

While this doesn’t allow access to previous email data, it does enable attackers to utilize these accounts to log in to SaaS products initially accessible with those credentials. 

Other compromised platforms include communication, project management, and even interview systems, exposing sensitive business and candidate data to exploitation.

Users can grant websites or applications access to their data from other services such as Google via OAuth without sharing passwords. When using the "Sign in with Google" feature, Google shares key user claims—like email and domain information—with third-party applications to authenticate users. 

Problems arise when apps rely solely on these claims for user authentication. If an organization ceases operations and its domain becomes available for purchase, attackers can acquire the domain, re-create email accounts, and use these to regain access to SaaS accounts tied to the defunct domain.

Moreover, Google's OAuth ID tokens include a unique user identifier—the "sub claim"—that could technically mitigate this vulnerability. However, Truffle found this identifier unreliable in practice. By contrast, Microsoft Entra includes both "sub" and "oid" claims, ensuring an immutable user identifier to prevent such exploits.

This vulnerability affects millions of users across widely adopted SaaS applications such as OpenAI ChatGPT, Slack, Notion, and Zoom. The potential compromise is particularly concerning for accounts linked to HR systems, exposing highly sensitive personal and financial information.

Google initially classified the flaw as "intended behavior" but reopened the bug report on December 19, 2024, after further evaluation. The tech giant awarded Dylan Ayrey a bounty of $1,337 and has labeled the issue as an "abuse-related methodology with high impact."