Vulnerability Found in Google Authentication System

A significant vulnerability in Google's 'Sign in with Google' authentication system poses a risk to millions of users, particularly those affiliated with failed startups. Researchers from Truffle Security found that attackers can purchase the domains of defunct startups and recreate email accounts for former employees, allowing unauthorized access to various Software-as-a-Service (SaaS) platforms such as Slack, Notion, and Zoom. Although Google initially dismissed the flaw as a non-issue, it later reopened the case and awarded a bounty to the researchers; however, the vulnerability remains unaddressed. This security gap does not allow access to old emails but enables attackers to extract sensitive data from HR systems, including Social Security numbers and tax documents. Experts warn that users should be cautious when using the OAuth login system, especially if they have worked for startups that have ceased operations. The research indicates that there are over 116,000 defunct domains that could potentially be exploited in this manner.