• Startups and Google Workspace: Lots of startups use Google's Workspace for email and back-office matters. Many business-minded webapps use Google's OAuth. But when startups fail and their domains go up for sale, often Google stuff isn't closed down properly.
• Problem Seriousness: Dylan Ayrey of Truffle Security Co. believes this is a more serious problem than realized. Startups often make the mistake of not properly closing their accounts on Google and other web-based apps before domains expire.
• Access to Sensitive Data: With admin access to re-activated Google accounts, one can get into services like Slack, ChatGPT, Zoom, and HR systems. Ayrey bought a defunct startup domain and accessed sensitive materials.
• Google's Response: A Google spokesperson said they recommend customers properly close out domains following instructions. Canceling Google Workspace doesn't remove user accounts until the organization's Google account is deleted. Google's initial response to Ayrey's findings was to set the status to "Won't Fix (Intended Behavior)", but later re-opened the issue and paid a reward.
• Issue with "sub": Google points to "sub" as a unique user identifier that shouldn't change and should be used for user identification. But an unnamed staff engineer at a major tech company disagrees, suggesting it varies in about 0.04% of logins. Ayrey's tests showed that "sub" didn't prevent him from getting access. His proposed fix is to include two new immutable identifiers. As of January 14, he hadn't heard from Google about potential fixes.