Thursday, 3 April 2025
24.9 C
Singapore
26.8 C
Thailand
20.7 C
Indonesia
26.9 C
Philippines

Employees of failed startups risk data theft through Google logins

Former employees of failed startups face risks of data theft due to a Google login flaw. Learn about the issue and how to protect yourself.

Losing your job at a failed startup is hard enough, but now thereโ€™s a growing concern about a hidden threat: the potential for your personal data to be stolen. This includes sensitive details like private messages, Social Security numbers, and bank account information.

A discovery with alarming implications

Security researcher Dylan Ayrey, co-founder and CEO of Truffle Security, uncovered this vulnerability. Ayrey is recognised for creating TruffleHog, an open-source project that monitors data leaks involving API keys, passwords, and tokens. After notifying Google and the affected companies, his findings were presented at the ShmooCon security conference.

The vulnerability lies in how Google OAuth, used for โ€œSign in with Google,โ€ handles domain-level access. If cybercriminals purchase failed startups’ expired domains, they could log in to cloud-based software linked to those domains. These apps, ranging from Slack to HR systems, often hold critical employee data.

Ayrey tested his theory by acquiring the domain of a defunct startup. Using it, he gained access to applications such as ChatGPT, Zoom, and an HR platform that contained Social Security numbers. He noted that the biggest threat is the monetisable data stored in HR systems, such as banking information.

Thankfully, Google confirmed that data stored in personal Gmail accounts or Google Docs is not at risk. However, startups are particularly vulnerable because they often rely heavily on Googleโ€™s tools and cloud-based services. Ayrey estimates that tens of thousands of former employees and millions of accounts could be affected, given the 116,000 startup domains currently available for sale.

Limited solutions to a significant problem

Googleโ€™s OAuth configuration includes a feature called a โ€œsub-identifier,โ€ which uniquely identifies each Google account. This mechanism should, in theory, prevent unauthorised access, even if hackers recreate email addresses.

However, Ayrey found issues with this system. Collaborating with an affected HR provider, he discovered that sub-identifiers occasionally changed, albeit in a tiny percentage of cases (0.04%). This inconsistency could lock out hundreds of users weekly for large platforms, leading some providers to forgo the feature.

Google disputes these findings, claiming that sub-identifiers do not change. However, as the HR provider reported the issue and not directly through Ayreyโ€™s bug report, it remains unresolved.

Googleโ€™s response

Initially, Google dismissed Ayreyโ€™s findings, calling the issue a โ€œfraudโ€ risk rather than a bug. Ayrey acknowledged this perspective, noting that Googleโ€™s OAuth system worked as designed, but the vulnerability highlighted broader data privacy concerns.

Three months later, Google reconsidered and awarded Ayrey a US$1,337 bounty for his discovery. This wasnโ€™t the first time his findings were reconsideredโ€”he faced a similar situation in 2021 when a talk at Black Hat prompted Google to acknowledge his work and award him third prize in their annual security research competition.

Despite recognising the issue, Google has not released a technical fix. The company has updated its guidance, encouraging cloud providers to use sub-identifiers, but has not announced further plans.

You may be at risk if youโ€™ve worked at a failed startup. Ayrey advises employees to secure their accounts by updating passwords and unlinking old โ€œSign in with Googleโ€ connections from inactive domains. Being proactive can help mitigate these risks as the tech world waits for broader fixes.

Hot this week

China-aligned hacker group FamousSparrow resurfaces in cyberattacks

ESET finds China-linked hacker group FamousSparrow still active with upgraded tools, targeting institutions in the US, Mexico and Honduras.

OpenAI pauses free GPT-4o image generation after viral Studio Ghibli trend

OpenAI halts free GPT-4o image generation after viral Studio Ghibli trend raises legal concerns, leaving paid users with continued access.

OpenAI secures US$40 billion in funding at US$300 billion valuation

OpenAI secures US$40B, reaching a US$300B valuation, to advance AI research and expand Stargate.

Sony unveils WF-C710N earbuds with improved battery life and noise cancellation

Sony announces the WF-C710N earbuds, which offer better battery life and noise cancellation, and new colours for the WH-CH720N and WH-CH520 headphones.

Krafton strengthens presence in India with Nautilus Mobile acquisition

Krafton acquires a controlling stake in Indian gaming studio Nautilus Mobile for US$14M, strengthening its foothold in Indiaโ€™s growing gaming market.

Qualcomm expands AI research with MovianAI acquisition

Qualcomm has acquired Vietnamese AI research firm MovianAI to boost its AI development in smartphones, PCs, and software-defined vehicles.

Roblox introduces new parental controls to enhance child safety

Roblox introduces new parental controls, allowing parents to block games, restrict friends, and monitor their childโ€™s activity for better safety.

Anthropic introduces Claude for Education, a new AI chatbot plan for universities

Anthropic launches Claude for Education, an AI chatbot plan for universities that offers advanced learning tools and administration support.

Exabeam introduces Nova, an agentic AI that boosts cybersecurity operations

Exabeam unveils Nova, a proactive AI agent that boosts security team productivity and reduces incident investigation time by over 50%.

Related Articles