Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
As if losing your job when the startup you work for collapses isn’t bad enough, now a security researcher has found that employees in failed startups are at particular risk of having their data stolen. This ranges from their private Slack messages to Social Security numbers and potentially bank accounts.
The researcher who discovered the problem is Dylan Ayrey, co-founder and CEO of Andreessen Horowitz-backed startup Truffle Security. Ayrey is best known as the creator of the popular open source project TruffleHog, which helps guard against data leaks that bad guys gain identity login tools (ie, API keys, passwords, and tokens).
Ayrey is also a rising star in the bug hunting world. Last week at ShmooCon security conferencegave a talk about a flaw he found with Google OAuth, the technology behind “Sign in with Google,” which people can use instead of passwords.
Ayrey gave his speech after reporting the vulnerability to Google and other companies that could be affected and was able to share the details of it because Google does not prevent its bug hunters from talking about their findings. (Google’s decades-old Project Zerofor example, it often points out the flaws it finds in the products of other tech giants like Microsoft Windows.)
He discovered that if malicious hackers bought the defunct domains of a failed startup, they could use them to access cloud software configured to allow any employee in the company to have access, such as a company chat or video app. From there, many of these apps offer company directories or user information pages where the hacker could discover the current e-mails of former employees.
Armed with the domain and those emails, hackers could use the “Sign in with Google” option to access many of the startup’s cloud software applications, often finding more employee emails.
To test the flaw he found, Ayrey bought a failed startup domain and from it was able to access ChatGPT, Slack, Notion, Zoom, and an HR system containing Social Security numbers.
“That’s probably the biggest threat,” Ayrey told TechCrunch, since data from a cloud HR system is “the easiest they can monetize, and Social Security numbers and banking information and whatever is in the HR systems is probably quite likely.β to be targeted. He said that old Gmail or Google Docs accounts created by employees, or any data created with Google applications, are not at risk, and Google has confirmed.
While any failed company with a domain for sale could fall prey, startup employees are particularly vulnerable because startups tend to use Google applications and a lot of cloud software to manage their businesses.
Ayrey estimates that tens of thousands of former employees are at risk, as well as millions of SaaS software accounts. This is based on their research that found 116,000 website domains currently available for sale from failed tech startups.
Prevention available but not perfect
Google actually has a technology in its OAuth configuration that should prevent the risks outlined by Ayrey, if the SaaS cloud provider uses it. It’s called a “sub-identifier”, which is a series of numbers unique to each Google account. While an employee could have multiple email addresses attached to their work Google account, the account should only have one sub-identifier, always.
If configured, when the employee goes to access a cloud software account with OAuth, Google will send the email address and the sub-identifier to identify the person. Therefore, even if malicious hackers recreated email addresses using domain control, they should not be able to recreate these identifiers.
But Ayrey, working with an affected SaaS HR provider, discovered that this identifier “was unreliable,” as he put it, meaning that the HR provider found it changed in a very small percentage of cases: 0, 04% That may be statistically close to zero, but for an HR provider that manages a large number of users every day, it adds up to hundreds of failed logins every week, locking people out of their accounts. That’s why this cloud provider didn’t want to use Google’s sub-identifier, Ayrey said.
Google disputes that the sub-identifier is always changing. Since this discovery came from the HR cloud provider, not the researcher, it was not submitted to Google as part of the bug report. Google says that if it ever sees evidence that the sub-identifier is not reliable, the company will address it.
Google changes its mind
But Google also understated how important this problem was. At first, Google dismissed Ayrey’s mistake altogether, immediately closing the ticket and saying it wasn’t a bug but a “fraud” issue. Google wasn’t completely wrong. This risk comes from hackers controlling domains and abusing the email accounts they create through them. Ayrey did not fault Google’s initial decision, calling this a data privacy issue where Google’s OAuth software worked as intended even though users could still be harmed. “It’s not that cut and dry,” he said.
But three months later, right after his talk was accepted by ShmooCon, Google changed its mind, reopened the ticket and paid Ayrey a premium of $1,337. A similar thing happened to him in 2021 when Google reopened his ticket after giving a very popular speech about his findings at the Black Hat cyber security conference. Google also awarded Ayrey and fellow bug researcher Allison Donovan the third prize in its annual security researcher award. awards (together with $73,331).
Google has not yet issued a technical fix for the flaw, nor a timeline for when it might β and it’s unclear if Google will ever make a technical change to somehow fix this problem. The company, however, has updated its documentation to tell the cloud providers to use the sub-identifier. Google also offers instructions to the founders on how companies should properly close Google Workspace and prevent the problem.
Ultimately, Google says, the fix is ββfor founders who close a company to make sure they properly close all of their cloud services. “We appreciate Dylan Ayrey’s help in identifying the risks arising from customers forgetting to remove third-party SaaS services as part of giving up their operation,” the spokesperson said.
Ayrey, a founder himself, understands why many founders didn’t make sure their cloud services were turned off. Closing a company is actually a complicated process done during what could be an emotionally painful time – involving many items, from disposing of employees’ computers, to closing bank accounts, to paying taxes .
“When the founder has to deal with closing the company, they probably aren’t in a great head space to be able to think about all the things they need to think about,” says Ayrey.
