Takeovers can be facilitated by the purchase of dormant domains.
Millions of online service provider accounts created by employees of now-defunct startups could be subjected to passwordless takeovers.
According to a report from Truffle Security researcher Dylan Ayrey, presented at the ShmooCon hacker conference, takeovers facilitated by the purchase of dormant domains are not only possible with Cloudflare, Zoom, Slack, and ChatGPT accounts, but also those for HR software platform Gusto, workplace management platform Asana, and productivity software vendor Notion.
Reported by SC US, Ayrey said the most eye-opening were HR systems, which allowed you to log in and see the W-2's, Social Security numbers and bank routing numbers of the old employees.
Such a discovery has prompted Google to update its SSO, OpenIDConnect, and OAuth guidance.
"When implementing your account management system, you shouldn't use the email field in the ID token as a unique identifier for a user,” said Google. “Always use the sub field as it is unique to a Google Account even if the user changes their email address."
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
