
The web has a lot to give, and sometimes, things can be a burden when it comes to signing up.
"Sign in with Google" is a convenient authentication method that allows users to log into apps, websites, or services using their Google account credentials. While creating a new account for every service seems logical, but many people prefer "Sign in with Google" for several reasons that outweigh the perceived benefits of separate accounts.
This is because the feature from Google simplifies the login process, as users don't need to create or remember a separate username and password for each platform.
The feature works using what's called the "Google OAuth," the underlying technology behind "Sign in with Google."
OAuth (short for Open Authorization) is an open standard that allows users to grant apps or services limited access to their account information without sharing their passwords.
And it had a bug that could be utilized by hackers.

According to Truffle Security co-founder and CEO Dylan Ayrey in a blog post:
"And while you can't access old email data, you can use those accounts to log into all the different SaaS products that the organization used."
Google's OAuth login works because it can be embedded to third-party websites and apps, which all use specific identifiers to decide whether to log in when an attempt is made to log in.
However, it cannot protect against someone purchasing a failed startup’s domain and using it to re-create email accounts for former employees.
Ayrey said that he purchased defunct domains and discovered that logging into each of the following services granted him access to old employee accounts of ChatGPT, Slack, Notion, Zoom, HR systems (containing social security numbers), and more.
"And while you can’t access old email data, you can use those accounts to log into all the different SaaS products that the organization used," Ayrey said.
In other words, Google's "Sign in with Google" authentication can be exploited by attackers to gain access to abandoned accounts.

All the attackers had to do, was purchase an abandoned domain and obtain ownership of it, to gain access to sensitive user data that domain had with Google.
Making things more worrying, Ayrey said that he went through Crunchbase’s startup dataset and found over 100,000 domains currently available for purchase from failed startups. If each failed startup averaged 10 employees over their lifetime and used 10 different SaaS services, this translates to more than 10 million accounts.
The issue stems from Google that couldn't implement two immutable identifiers within its OpenID Connect (OIDC):
Google could implement two immutable identifiers within its OpenID Connect (OIDC) claims:
- A unique user ID that doesn’t change over time.
- A unique workspace ID tied to the domain.

Ayrey added:
"Without immutable identifiers for users and workspaces, domain ownership changes will continue to compromise accounts."
In a statement, a Google spokesperson said the company recommends customers to follow security best practices and wipe out all user data when an account is closed to ensure that the data is not accessible.
"We appreciate Dylan Ayrey's help identifying the risks stemming from customers forgetting to delete third-party SaaS services as part of turning down their operation," the spokesperson said.
"As a best practice, we recommend customers properly close out domains following these instructions to make this type of issue impossible. Additionally, we encourage third-party apps to follow best-practices by using the unique account identifiers (sub) to mitigate this risk."