Author Topic: Google, OAuth and recycled domains  (Read 245 times)

0 Members and 1 Guest are viewing this topic.

Offline madiresTopic starter

  • Super Contributor
  • ***
  • Posts: 8315
  • Country: de
  • A qualified hobbyist ;)
Google, OAuth and recycled domains
« on: January 15, 2025, 01:09:40 pm »
Millions of Accounts Vulnerable due to Google’s OAuth Flaw (https://trufflesecurity.com/blog/millions-at-risk-due-to-google-s-oauth-flaw, includes link to Shmoocon talk).
 
The following users thanked this post: SiliconWizard

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 6159
  • Country: au
Re: Google, OAuth and recycled domains
« Reply #1 on: February 06, 2025, 06:50:32 am »
Eh, I feel like this is blown out of proportion.

Firstly, if the defunct company was a user of various tools, unless they keep paying the bill (unlikely), then their services will be terminated and ultimately, deleted, along with their data.

I feel, whoever set up these services for these defunct companies in the first place, wasn't doing things correctly. Things like secrets, should never be able to be exploited after a domain or service stops existing (or even whilst it still exists).



« Last Edit: February 06, 2025, 07:05:48 am by Halcyon »
 

Online Siwastaja

  • Super Contributor
  • ***
  • Posts: 9439
  • Country: fi
Re: Google, OAuth and recycled domains
« Reply #2 on: February 06, 2025, 07:53:14 am »
Firstly, if the defunct company was a user of various tools, unless they keep paying the bill (unlikely), then their services will be terminated and ultimately, deleted, along with their data.

Many services are billed annually and/or could have "money in" for a year or even longer; after that runs out, they don't just delete data and prevent access, they transition into "free versions", with data still available. Besides, some services are completely free of cost.

Quote
I feel, whoever set up these services for these defunct companies in the first place, wasn't doing things correctly.

It is easy to blame them, but it's not an obvious vulnerability at all. I mean, even you fail to recognize it as a serious vulnerability:

Eh, I feel like this is blown out of proportion.

I never thought about this either. And probably the rest 99% of system admins neither.

It's not like Google is the only responsible in this mess, but I always had a feeling that easy centralized log-in could be a colossally bad idea security-wise. But you don't get fired by buying IBM OAuth.
 

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 6159
  • Country: au
Re: Google, OAuth and recycled domains
« Reply #3 on: February 06, 2025, 10:56:08 am »
Even with the disclosure, I'm not about to start scrambling and start doing things differently. It's a matter of monitoring it, like any number of vulnerabilities that come out every week, and if needed, change the way you do things as a CIO/CTO/Head of IT. Which brings me to a point I've been making for years. Senior leadership should understand their craft to some degree, and not simply be a "leader".
« Last Edit: February 06, 2025, 10:57:42 am by Halcyon »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf