Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
As if losing your job when the startup you work for collapses isn’t bad enough, now a security researcher has found that employees at failed startups are at particular risk of having their data stolen. This ranges from their private Slack messages to Social Security numbers and possibly bank accounts.
The researcher who discovered the problem is Dylan Eyre, co-founder and CEO of Andreessen Horowitz-backed startup Truffle Security. Ayrey is best known as the creator of the popular open source project TruffleHog, which helps track data leaks when bad guys obtain identity login tools (eg, API keys, passwords, and tokens).
Ayre is also a rising star in the bug-hunting world. last week Security conference ShmooConHe gave a talk about a flaw found with Google OAuth, the technology behind “Sign in with Google” that people can use instead of passwords.
Ayre gave his speech after Google and other companies that may have been affected reported the vulnerability, and was able to share details because Google does not prohibit its bug hunters from talking about their findings. (Google’s decade-old Project Zero(For example, Microsoft often displays flaws that can be found in other tech giants’ products, such as Windows.)
He discovered that if malicious hackers bought a failed startup’s inactive domains, they could use them to log into cloud software configured to allow every employee in the company access to things like the company’s chat or video apps. From there, many of these apps offer company directories or user information pages where hackers can discover real emails of former employees.
Armed with the domain and those emails, hackers can use the “sign in with Google” option to access the startup’s many cloud software apps, often finding more employee emails.
To test the flaw he found, Ayrey bought a failed startup’s domain and was able to log into it with ChatGPT, Slack, Notion, Zoom and an HR system containing social security numbers.
“That’s probably the biggest threat,” Eyre told TechCrunch, because data from cloud HR systems “is the easiest to monetize them, and Social Security numbers and banking information and whatever else is in HR systems is probably the most likely to be targeted. He said that old Gmail accounts or Google Docs created by employees, or any data created with Google’s apps are not at risk and confirmed by Google.
While any failed company with a domain for sale could be a victim, startup workers are particularly vulnerable because startups use Google’s apps and a lot of cloud software to run their businesses.
Ayrey calculates that hundreds of thousands of former employees are at risk, as well as millions of SaaS software accounts. This is based on his research which found that 116,000 website domains are currently available for sale from failed tech startups.
Prevention is available but not perfect
Google’s OAuth configuration actually contains technology that should prevent the risks described by Ayrey if SaaS cloud providers use it. This is called a “sub-identifier”, which is a series of numbers unique to each Google Account. Although an employee can have multiple email addresses associated with their work Google Account, the account should only have one sub-identifier.
If configured, when the employee logs into a cloud software account using OAuth, Google will send both the email address and sub-identifier to identify the individual. So, even if malicious hackers recreate email addresses with domain control, they won’t be able to recreate these identifiers.
But Ayrey, working with an affected SaaS HR provider, discovered that this identifier was “unreliable,” as he puts it, meaning the HR provider saw it change in a very small percentage of cases: 0.04%. This may be statistically close to zero, but for an HR provider handling a large number of daily users, this adds up to hundreds of failed logins per week, locking people out of their accounts. That’s why the cloud provider didn’t want to use Google’s sub-identifier, Eyre said.
Google disputes that sub-identifiers ever change. Because this finding came from the HR Cloud provider, not the researcher, it was not submitted to Google as part of the bug report. Google says that if it ever sees evidence that a sub-identifier is unreliable, the company will address it.
Google changed its mind
But Google has also flip-flopped on how important the issue is. At first, Google dismissed Ayrey’s bug outright, immediately closing the ticket and saying it wasn’t a bug but a “fraudulent” issue. Google was not entirely wrong. This risk is caused by hackers controlling domains and misusing email accounts created through them. Ayrey didn’t take issue with Google’s initial decision, calling it a data privacy issue where Google’s OAuth software worked as intended even though users could still be hurt. “It’s not cut and dry,” he said.
But three months later, just after his talk was accepted by ShmooCon, Google changed its mind, reopened the ticket and awarded Ayre a $1,337 donation. A similar incident happened to him in 2021 when Google reopened his ticket after he gave a popular speech about his findings at the cybersecurity conference Black Hat. Google even awarded Ayre and his bug-finding partner, Alison Donovan, with its third annual Security Researcher Award. Award (including $73,331).
Google has yet to issue a technical fix for the flaw, or a timeline for when it might happen — and it’s unclear if Google will ever make a technical change to address the issue. The company has, however, updated it documentation Requiring cloud providers to use sub-identifiers. Google also offers instructions To founders on how companies should properly shut down Google Workspace and prevent issues.
Ultimately, Google said, founders are shutting down a company to ensure they properly shut down all of their cloud services. “We appreciate Dylan Eyre’s help in identifying risks arising from customers forgetting to remove third-party SaaS services as part of their opt-out operations,” the spokesperson said.
Ayre, a founder himself, understands why many founders don’t make sure to disable their cloud services. Closing a company is actually a complex process that can be an emotionally painful time – many items are involved, from disposing of employee computers, to closing bank accounts, to paying taxes.
“The founders have to deal with closing the company, they probably won’t be able to think about everything they need to think about in a great head space,” Ayrey said.
