Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
As if losing your job when the startup you work for fails isn’t bad enough, now a security researcher has found that employees at failed startups are particularly at risk of data theft. This ranges from their private Slack messages to Social Security numbers and, potentially, bank accounts.
The researcher who discovered the problem is Dylan Ayrey, co-founder and CEO of Andreessen Horowitz-backed startup Truffle Security. Ayrey is best known as the creator of the popular open source project TruffleHog, which helps track data leaks if bad actors get hold of identity reporting tools (ie API keys, passwords, and tokens).
Ayrey is also a rising star in the bug hunting world. Last week in the ShmooCon security conferencegave a talk about a bug he found with Google OAuth, the technology behind “Sign in with Google,” which people can use instead of passwords.
Ayrey gave his talk after reporting the vulnerability to Google and other companies that may be affected, and was able to share details because Google doesn’t ban its bug hunters from talking about their findings. (Google’s Project Zero is a decade oldfor example, it often points out flaws it finds in products from other tech giants like Microsoft Windows.)
He found that if malicious hackers bought a failed startup’s dead domains, they could use them to log into cloud software configured to give every employee at the company access, such as a company chat or video app. From there, many of these apps offer company directories or customer information sites where a hacker can discover real emails from former employees.
Armed with the domain and that email, hackers could use the “Sign in with Google” option to access many of the startup’s cloud software applications, often finding multiple employee emails.
To test the bug he found, Ayrey bought a failed startup’s domain and was able to log into ChatGPT, Slack, Notion, Zoom, and an HR system that contained social security numbers.
“That’s probably the biggest threat,” Ayrey told TechCrunch, because data from cloud HR systems “is the easiest to monetize, and Social Security numbers and bank information and everything else in HR systems is probably very likely” to be targeted. He said that old Gmail accounts or Google Docs created by employees, or any data created with Google applications, are not compromised, and Google has confirmed.
While any failed business with a domain for sale could fall prey, startup employees are particularly vulnerable because startups typically use Google apps and a lot of cloud software to run their business.
Ayrey calculates that tens of thousands of former employees are at risk, as well as millions of SaaS software accounts. This is based on his research that found 116,000 website domains currently available for sale from failed tech startups.
Prevention is available, but not perfect
Google actually has technology in its OAuth configuration that should prevent the risks described by Ayrey, if a SaaS cloud provider uses it. It’s called a “sub-identifier,” which is a series of numbers unique to each Google Account. While an employee can have multiple email addresses associated with their business Google Account, the account should only have one sub-identifier.
If configured, when an employee signs in to a cloud software account using OAuth, Google will send both an email address and a sub-identifier to identify the person. So, even if malicious hackers recreated the email addresses with domain control, they shouldn’t be able to recreate those identifiers.
But Ayrey, working with one affected SaaS HR provider, found that this identifier “was unreliable,” he said, meaning the HR provider found it had changed in a very small percentage of cases: 0.04%. That might be statistically close to zero, but for an HR provider handling a huge number of daily users, that adds up to hundreds of failed logins every week, locking people out of their accounts. That’s why the cloud provider didn’t want to use Google’s sub-identifier, Ayrey said.
Google disputes that the sub-identifier ever changes. As this finding came from an HR cloud provider and not a researcher, it was not reported to Google as part of the bug report. Google says the company will address it if it ever sees evidence that a sub-identifier is unreliable.
Google changed its mind
But Google has also misled how important this question even is. At first, Google completely dismissed Ayrey’s mistake, immediately closing the report and saying it was not a mistake, but a “fraud.” Google wasn’t completely wrong. This risk comes from hackers controlling domains and abusing email accounts they recreate through them. Ayrey didn’t begrudge Google’s initial decision, calling it a data privacy issue where Google’s OAuth software worked as intended even though users could still be hurt. “It’s not that dry,” he said.
But three months later, right after ShmooCon accepted his talk, Google changed its mind, reopened the ticket and paid Ayrey the $1,337 prize. A similar thing happened to him in 2021 when Google opened the ticket for him again after he gave a very popular speech about his findings at the Black Hat cybersecurity conference. Google even awarded Ayrey and his bug-finding partner, Allison Donovan, the third prize in their annual security survey prizes (together with $73,331).
Google hasn’t yet issued a technical fix for the bug, or a timeline for when that might be — and it’s unclear if Google will ever make a technical change to somehow fix the issue. The company has, however, updated its documentation to tell cloud service providers to use a sub-identifier. Google also offers instructions founders on how companies should properly close Google Workspace and prevent the problem.
Ultimately, Google says, the solution is for founders who are shutting down a company to make sure they properly shut down all of their cloud services. “We appreciate Dylan Ayrey’s assistance in identifying the risks arising from users forgetting to delete third-party SaaS services as part of their operation’s denial,” the spokesperson said.
Ayrey, a founder himself, understands why many founders may not have ensured their cloud services are disabled. Closing a business is actually a complicated process that takes place during a potentially emotionally painful period – it involves many things, from disposing of employees’ computers, closing bank accounts to paying taxes.
“When a founder has to deal with closing a company, they probably don’t have enough space to think about all the things they need to think about,” says Ayrey.
