Takeovers can be facilitated by the purchase of dormant domains.
Millions of online service provider accounts created by employees of now-defunct startups could be subjected to passwordless takeovers.
According to a report from Truffle Security researcher Dylan Ayrey, presented at the ShmooCon hacker conference, takeovers facilitated by the purchase of dormant domains are not only possible with Cloudflare, Zoom, Slack, and ChatGPT accounts, but also those for HR software platform Gusto, workplace management platform Asana, and productivity software vendor Notion.
Reported by SC US, Ayrey said the most eye-opening were HR systems, which allowed you to log in and see the W-2's, Social Security numbers and bank routing numbers of the old employees.
Such a discovery has prompted Google to update its SSO, OpenIDConnect, and OAuth guidance.
"When implementing your account management system, you shouldn't use the email field in the ID token as a unique identifier for a user,” said Google. “Always use the sub field as it is unique to a Google Account even if the user changes their email address."
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
