Security expert Dylan Ayrey warns that employees of failed startups risk data theft through old Google logins, including sensitive personal information. He discovered vulnerabilities in Google OAuth that hackable domains can exploit. Tens of thousands of former employees are at risk, highlighting the need for proper closure of cloud services to safeguard sensitive data.
Key Highlights
– Employees of failed startups are at heightened risk of data theft due to compromised Google logins.
– Security researcher Dylan Ayrey identified vulnerabilities linked to Google OAuth that may expose personal data.
– Tens of thousands of former employees face risks related to their sensitive information, with Google confirming the issue.
– Proper closure of cloud services is crucial to mitigate these risks according to Google.
Understanding the Risks
The collapse of a startup not only results in job loss, but also increased vulnerability to identity theft for its former employees. A recent report highlights that individuals who once worked at failed startups are at a significant risk of having their personal data, including private communications and sensitive information, stolen. The findings stem from the research of Dylan Ayrey, co-founder and CEO of Truffle Security, known for his work on the open-source data monitoring tool TruffleHog.
The Vulnerability Discovered
At a recent security conference, Ayrey revealed a serious flaw within Google OAuth, the system behind the convenient “Sign in with Google” feature. By acquiring the domain of a defunct startup, malicious actors could potentially access both collaborative and sensitive cloud applications utilized by the former employees, revealing personal information such as email addresses.
Real-World Testing
Ayrey conducted tests by purchasing a failed startup’s domain and successfully logged into multiple platforms, including ChatGPT, Slack, and a cloud HR system. He emphasized the gravity of this vulnerability, stating, “That’s probably the biggest threat… the Social Security numbers and the banking information… is probably pretty likely” to be targeted. While the personal data generated through Google’s platform remains secure, the situation poses significant risks for startup staffers.
Unintended Consequences
Startups are particularly susceptible due to their extensive reliance on Google services and various applications to manage operations. Ayrey estimates that thousands of former employees and millions of cloud account users are imperiled. His analysis revealed over 116,000 expired domains available for acquisition from failed tech ventures, exacerbating the threat to data security.
Prevention Measures
Google’s OAuth infrastructure is designed to avert such risks through a unique “sub-identifier” for each account; however, discrepancies in its functionality were reported by a SaaS HR provider, leading to misunderstandings regarding its reliability. While the provider noted failures in the identifier, Google maintains that it remains consistent and has pledged to investigate any emerging concerns.
Google’s Reaction
Initially, Google dismissed Ayrey’s report, labeling it a fraud issue rather than a bona fide bug. However, after further investigation into the potential risks presented by domain reactivation, the company changed its stance and provided Ayrey with a monetary reward for his findings. This situation underscores the challenges inherent in data security and the evolving nature of cybersecurity threats.
Providing Guidance to Founders
Google’s position emphasizes the importance of appropriately shutting down Google services to safeguard against data misuse. The spokesperson acknowledged Ayrey’s efforts in highlighting these risks, expressing appreciation for his insights. Ayrey acknowledged that many founders may neglect these technicalities during the stressful end of their ventures, stating, “When the founder has to deal with shutting the company down, they’re probably not in a great headspace to be able to think about all the things they need to be thinking about.”
The research by Dylan Ayrey has illuminated a significant risk for former startup employees concerning data theft via exploited Google OAuth logins. The incident underscores the necessity for proper closure of cloud services to prevent unauthorized access to sensitive information. As startups frequently utilize these tools, it is vital for founders to implement safeguards during shutdown procedures to protect former employees’ personal data.
Original Source: techcrunch.com
Leave a Reply