As if losing your job when the startup you’re working for folds isn’t bad enough, a security researcher has now found that employees at failed startups are particularly at risk of having their data stolen. This ranges from their Slack messages to Social Security numbers, and perhaps bank accounts.
The researcher who discovered the problem is Dylan Airey, co-founder and CEO of Andreessen Horowitz-backed startup Truffle Security. Ayrey is known as the creator of the popular open source TruffleHog project, which helps monitor data leaks in case bad guys obtain login tools (e.g., API keys, passwords, tokens).
Ayrey is also a rising star in the world of insect hunting. Last week in ShmooCon security conferencegave a talk about a flaw he discovered in Google OAuth, the technology behind “Sign in with Google,” which people can use instead of passwords.
Ayrey gave his talk after reporting the vulnerability to Google and other companies that could be affected, and was able to share its details because Google does not prevent bug hunters from talking about their findings. (Google’s decade-old Project Zero(For example, he often exposes the flaws he finds in the products of other tech giants like Microsoft Windows.)
He discovered that if malicious hackers bought the defunct domains of a failed startup, they could use them to log into cloud software that was configured to allow every employee in the company access, such as a company chat or video app. From there, many of these applications offer company directories or user information pages where a hacker can discover the actual emails of former employees.
Using the domain and these emails, hackers can use the “Sign in with Google” option to access many of the startup’s cloud software applications, often finding more employee emails.
To test his flaw, Ayrey bought a failed startup’s domain and was able to log in to ChatGPT, Slack, Notion, Zoom, and an HR system containing Social Security numbers.
This is perhaps the biggest threat, as data from a cloud HR system is “the easiest way to monetize, and it’s very likely that Social Security numbers, banking information, and anything else that’s in HR systems” will be targeted, Airey told TechCrunch. He said that old Gmail accounts, Google Docs created by employees, or any data created using Google applications, are not at risk, and Google confirmed this.
While any failed company with scope to sell can fall prey, startup employees are particularly vulnerable because startups tend to use Google Apps and a lot of cloud software to run their businesses.
Airey estimates that tens of thousands of former employees are at risk, as well as millions of SaaS accounts. This is based on his research which found that 116,000 website domains are currently available for sale from failed technology startups.
Prevention is available but not perfect
Google already has technology in its OAuth configuration that would prevent the risks identified by Ayrey, if used by a cloud SaaS provider. It’s called a “sub-identifier,” and it’s a string of numbers that is unique to each Google account. Although an employee may have multiple email addresses attached to their work Google Account, the account should only ever have one sub-ID.
If configured, when an employee signs in to a cloud software account using OAuth, Google will send both the email address and sub-ID to identify the person. Therefore, even if malicious hackers regenerate email addresses with domain control, they will not be able to recreate these IDs.
But Airey, working with one of the affected HR SaaS providers, discovered that this identifier was “untrusted,” as he put it, meaning the HR provider found it changed in a very small percentage of cases: 0.04%. This may be a close to zero statistic, but for an HR provider that deals with large numbers of users daily, it adds up to hundreds of failed logins every week, locking people out of their accounts. This is why this cloud service provider does not want to use Google’s sub-identifier, Airey said.
Google disputes that the sub-identifier changes at all. Since this result came from the HR cloud provider, not the researcher, it was not sent to Google as part of the bug report. Google says that if it sees evidence that the sub-identifier is not trusted, the company will address it.
Google changes its mind
But Google also walked back how important the issue was at all. Initially, Google completely dismissed Ayrey’s error, immediately closing the ticket and saying it was not a bug but a “fraud” issue. Google wasn’t entirely wrong. This risk comes from hackers taking control of domains and misusing the email accounts they recreate from. Airey didn’t begrudge Google’s initial decision, calling it a data privacy issue where Google’s OAuth software works as intended even though users are still vulnerable to harm. “This is not cut and dry,” he said.
But three months later, right after ShmooCon accepted his talk, Google changed its mind, reopened the ticket, and paid Ayrey a $1,337 reward. Something similar happened to him in 2021 when Google reopened his ticket after he gave a wildly popular speech about his findings at the Black Hat cybersecurity conference. Google even awarded Airey and his bug-finding partner Allison Donovan third prize in its annual Security Researcher Awards (plus $73,331).
Google has not yet released a technical fix for the bug, nor a timeline for when it will occur, and it’s not clear if Google will make a technical change to somehow address this issue. However, the company has updated its data Documents To tell cloud providers to use the sub-identifier. Google also offers directions For founders on how to properly close Google Workspace for businesses and prevent the problem.
Ultimately, Google says, the solution is for founders to shut down the company to ensure they’ve properly shut down all their cloud services. “We appreciate Dylan Ayre’s assistance in identifying the risks resulting from customers forgetting to delete third-party SaaS services as part of deprecation of their operations,” the spokesperson said.
Ayrey, the founder himself, understands why many founders aren’t sure about disrupting their cloud services. Closing a company is actually a complex process undertaken during a period that can be emotionally traumatic, and involves many elements, from disposing of employee computers, to closing bank accounts, to paying taxes.
“When a founder has to deal with a company closing, they probably don’t have as much mental space to be able to think about all the things they need to think about,” Airey says.
https://techcrunch.com/wp-content/uploads/2025/01/image-2-1.png?w=1078
Source link