Thursday, 24 April 2025
26.1 C
Singapore
29 C
Thailand
19 C
Indonesia
28.4 C
Philippines

Employees of failed startups risk data theft through Google logins

Former employees of failed startups face risks of data theft due to a Google login flaw. Learn about the issue and how to protect yourself.

Losing your job at a failed startup is hard enough, but now there’s a growing concern about a hidden threat: the potential for your personal data to be stolen. This includes sensitive details like private messages, Social Security numbers, and bank account information.

A discovery with alarming implications

Security researcher Dylan Ayrey, co-founder and CEO of Truffle Security, uncovered this vulnerability. Ayrey is recognised for creating TruffleHog, an open-source project that monitors data leaks involving API keys, passwords, and tokens. After notifying Google and the affected companies, his findings were presented at the ShmooCon security conference.

The vulnerability lies in how Google OAuth, used for “Sign in with Google,” handles domain-level access. If cybercriminals purchase failed startups’ expired domains, they could log in to cloud-based software linked to those domains. These apps, ranging from Slack to HR systems, often hold critical employee data.

Ayrey tested his theory by acquiring the domain of a defunct startup. Using it, he gained access to applications such as ChatGPT, Zoom, and an HR platform that contained Social Security numbers. He noted that the biggest threat is the monetisable data stored in HR systems, such as banking information.

Thankfully, Google confirmed that data stored in personal Gmail accounts or Google Docs is not at risk. However, startups are particularly vulnerable because they often rely heavily on Google’s tools and cloud-based services. Ayrey estimates that tens of thousands of former employees and millions of accounts could be affected, given the 116,000 startup domains currently available for sale.

Limited solutions to a significant problem

Google’s OAuth configuration includes a feature called a “sub-identifier,” which uniquely identifies each Google account. This mechanism should, in theory, prevent unauthorised access, even if hackers recreate email addresses.

However, Ayrey found issues with this system. Collaborating with an affected HR provider, he discovered that sub-identifiers occasionally changed, albeit in a tiny percentage of cases (0.04%). This inconsistency could lock out hundreds of users weekly for large platforms, leading some providers to forgo the feature.

Google disputes these findings, claiming that sub-identifiers do not change. However, as the HR provider reported the issue and not directly through Ayrey’s bug report, it remains unresolved.

Google’s response

Initially, Google dismissed Ayrey’s findings, calling the issue a “fraud” risk rather than a bug. Ayrey acknowledged this perspective, noting that Google’s OAuth system worked as designed, but the vulnerability highlighted broader data privacy concerns.

Three months later, Google reconsidered and awarded Ayrey a US$1,337 bounty for his discovery. This wasn’t the first time his findings were reconsidered—he faced a similar situation in 2021 when a talk at Black Hat prompted Google to acknowledge his work and award him third prize in their annual security research competition.

Despite recognising the issue, Google has not released a technical fix. The company has updated its guidance, encouraging cloud providers to use sub-identifiers, but has not announced further plans.

You may be at risk if you’ve worked at a failed startup. Ayrey advises employees to secure their accounts by updating passwords and unlinking old “Sign in with Google” connections from inactive domains. Being proactive can help mitigate these risks as the tech world waits for broader fixes.

Hot this week

OpenAI looked at Cursor before moving to buy Windsurf for US$3B

OpenAI tried to buy Cursor creator Anysphere before turning to Windsurf for US$3B, showing its urgency to lead AI code generation.

CeMAT Southeast Asia returns to Singapore to showcase the future of logistics and automation

CeMAT Southeast Asia 2025 will showcase innovations in logistics and automation, addressing rising complexities and tariffs within the supply chain.

ChatGPT joins forces with The Washington Post in new content partnership

OpenAI partners with The Washington Post to bring trusted news summaries to ChatGPT, offering better access to reliable information.

Bethesda releases The Elder Scrolls IV: Oblivion Remastered – and you can play it now

Bethesda released Oblivion Remastered, which features full visual upgrades and quality-of-life improvements and is now available across major platforms.

Intel prepares for major layoffs ahead of Q1 earnings

Intel plans to cut over 21,000 jobs this week, aiming to rebuild its focus and engineering culture under new CEO Lip-Bu Tan.

POCO launches entry-level C71 smartphone in Singapore with premium features

POCO launches the budget-friendly C71 smartphone in Singapore, offering premium design, enhanced cameras, and smooth performance at S$109.

NVIDIA uses AI to address climate, wildlife and disaster risks

NVIDIA’s AI tools support climate action, wildlife monitoring, and disaster risk mitigation, with uses spanning sea, land, sky and space.

Netflix raises subscription prices in Singapore again

Netflix again raises subscription prices in Singapore, with new rates for all plans and extra member slots.

GameMax unveils Blade Concept ATX case with bold design and powerful features

GameMax launches the Blade Concept ATX case, which features a striking blade design, RGB lighting, and support for high-end liquid-cooled PC builds.

Related Articles

Popular Categories