As if losing your job when the startup you worked for folds isn't bad enough, now a security researcher has discovered that employees at failed startups are especially at risk of having their data stolen. This ranges from their private Slack messages to Social Security numbers and possibly even bank accounts.
The researcher who discovered the problem is Dylan Ayrey, co-founder and CEO of Andreessen Horowitz-backed startup Truffle Security. Ayrey is best known as the creator of the popular open source project TruffleHog, which helps monitor data breaches if bad actors obtain identity login tools (i.e. API keys, passwords, and tokens).
Airey is also a rising star in the insect hunting world. Last week at the security conference ShmooCon, he gave a talk about a flaw he found in Google OAuth, the technology behind "Sign in with Google" that allows people to use it in place of a password.
Airey spoke after reporting the vulnerability to Google and other potentially affected companies, and was able to share details of the vulnerability because Google does not prohibit its bug hunters from talking about their findings. (Google's decade-old Project Zero, for example, often showcases flaws it finds in other tech giants' products like Microsoft's Windows.)
He found that if malicious hackers purchased the expired domain names of a failed startup, they could use them to log into cloud software, such as corporate chat or video applications, that was configured to allow every employee in the company to access it. From there, many apps offer company directories or user information pages where hackers can discover former employees' actual emails.
Armed with the domain names and these emails, hackers were able to use the "Sign in with Google" option to access many of the startup's cloud software applications, often uncovering more employee emails.
To test the flaw he discovered, Ayrey purchased the domain name of a failed startup and was able to log into ChatGPT, Slack, Notion, Zoom, and an HR system that contained Social Security numbers.
"This is probably the biggest threat," Airey told TechCrunch, because data from cloud HR systems "is the easiest to monetize, and Social Security numbers, bank information, and other things in HR systems are very likely to be stolen." . " became a target. He said that no old Gmail accounts or Google Docs created by employees, or any data created using Google applications, were at risk, and Google confirmed this.
While any failed company selling domain names could be a casualty, startup employees are particularly vulnerable because startups tend to use Google apps and a host of cloud software to run their businesses.
Ayrey calculated that tens of thousands of former employees and millions of SaaS software accounts were at risk. This is based on his research, which found that there are currently 116,000 website domains for sale from failed tech startups.
In fact, there is technology in Google's OAuth configuration that, if used by SaaS cloud providers, should prevent the risks outlined by Ayrey. It's called a "sub-identifier," and it's a series of numbers unique to each Google Account. While an employee may have multiple email addresses attached to their work Google Account, the account can only ever have one sub-identifier.
If configured, when an employee logs in to a cloud software account using OAuth, Google will send an email address and sub-identifier to identify the person. So even if a malicious hacker recreates an email address with domain control, they shouldn't be able to recreate these identifiers.
But while working with one of the affected SaaS HR providers, Ayrey discovered that this identifier was, as he put it, "unreliable," meaning the HR provider found it changed on rare occasions: 0.04%. Statistically, this number is probably closer to zero, but for HR providers dealing with large numbers of users every day, there are hundreds of failed logins every week, leaving people unable to access their accounts. That's why the cloud provider doesn't want to use Google's sub-identifiers, Airey said.
Google disputes the claim that the sub-identifier ever changed. Because this discovery came from the HR cloud provider and not the researchers, it was not submitted to Google as part of a bug report. Google said that if there is evidence that the sub-identifier is unreliable, the company will fix the issue.
But Google has also shifted on the importance of the issue. At first, Google dismissed Airey's error outright, closing the ticket immediately and saying it was not a bug but a "fraud" issue. Google isn't entirely wrong. This risk comes from hackers taking control of a domain and abusing the email accounts they recreate from the domain. Airey didn't begrudge Google the original decision, saying it was a data privacy issue and that Google's OAuth software worked as intended, although users could still be harmed. "It's not that simple," he said.
But three months later, just after his talk was accepted at ShmooCon, Google changed its mind, reopened tickets, and paid Airey his $1,337 bounty. Something similar happened to him in 2021, when Google reopened tickets to his popular talk at the cybersecurity conference Black Hat. Google even awarded Airey and his bug-finding partner Allison Donovan third place in the Security Researcher of the Year Award ($73,331).
Google has yet to release a technical fix for the flaw, nor a timetable for when it will be fixed, and it's unclear whether Google will make technical changes to address the issue in some way. However, the company has updated its documentation to tell cloud providers to use sub-identifiers. Google is also providing instructions to founders on how companies should properly shut down Google Workspace and prevent issues from occurring.
Google says the ultimate solution is for founders to shut down a company to ensure they shut down all cloud services properly. "We thank Dylan Ayrey for helping identify the risks posed by customers forgetting to remove third-party SaaS services when they refuse to operate," the spokesperson said.
Airey, a founder himself, understands why many founders may not ensure their cloud services are disabled. Closing a business is actually a complex process that can be completed during an emotionally painful period—it involves many things, from getting rid of employee computers, to closing bank accounts, to paying taxes.
"When founders have to deal with closing a company, they may not have enough head space to think about everything they need to consider," Airey said.