As if losing your job when the startup you work for collapses isn’t bad enough, now a security researcher has found that workers at failed startups are at particular risk of having their data stolen. This ranges from their personal Slack messages to their Social Security numbers and possibly bank accounts.
The researcher who discovered the issue is Dylan Ayrey, co-founder and CEO of Andreessen Horowitz-backed startup Truffle Security. Ayrey is best known as the creator of the popular open source project TruffleHog, which helps monitor for data leaks in case bad guys get their hands on identity-binding tools (ie API keys, passwords, and tokens).
Ayrey is also a rising star in the bug hunting world. Last week on ShmooCon security conferencetalked about a flaw he found with Google OAuth, the technology behind Sign in with Google, which people can use instead of passwords.
Ayrey gave his talk after reporting the vulnerability to Google and other companies that could be affected, and was able to share the details because Google doesn’t ban its bug hunters from talking about their findings. (Google’s ten-year-old Project Zero, for example, often presents the flaws it finds in other tech giants’ products, such as Microsoft Windows.)
He discovered that if malicious hackers bought the damaged domains of a failed startup, they could use them to connect to cloud software configured to allow every employee in the company to access, such as a corporate chat or video application. From there, many of these apps offer company directories or user information pages where the hacker could discover the actual emails of former employees.
Armed with the domain and those emails, hackers could use the Sign in with Google option to access many of the startup’s cloud software applications, often finding more employee emails.
To test the flaw he found, Ayrey bought a failed startup domain and from it was able to connect to ChatGPT, Slack, Notion, Zoom, and an HR system that contained Social Security numbers.
“That’s probably the biggest threat,” Ayrey told TechCrunch, as data from an HR system in the cloud is “the easiest thing to monetize, and Social Security numbers and bank information and whatever else is out there in HR systems are likely to be “targeted. He said old Gmail accounts or Google Docs created by employees, or any data created with Google apps, are not at risk either. Google confirmed.
While any failed company with a domain for sale could fall victim, startup workers are especially vulnerable because startups tend to use Google apps and a lot of cloud software to run their businesses.
Ayrey estimates that tens of thousands of former employees are at risk, as well as millions of SaaS software accounts. This is based on his research that found 116,000 website domains currently being offered for sale by failed tech startups.
Prevention is available but not perfect
Google actually has technology in its OAuth configuration that should prevent the risks Ayrey describes if the SaaS cloud provider uses it. It’s called a “sub-id”, which is a series of numbers unique to each Google account. While an employee can have multiple email addresses linked to their work Google account, the account should only have one secondary ID.
If configured, when the employee goes to sign in to a cloud software account using OAuth, Google will send both the email address and secondary ID to identify the person. So, even if malicious hackers recreated email addresses with domain control, they should not be able to recreate these IDs.
But Ayrey, working with an affected SaaS HR provider, discovered that this ID “was unreliable,” as he put it, meaning the HR provider found it changed a very small percentage of the time: 0.04%. This may be statistically close to zero, but for an HR provider handling huge numbers of daily users, it adds up to hundreds of failed logins every week, locking users out of their accounts. That’s why this cloud provider didn’t want to use Google’s secondary identifier, Ayrey said.
Google disputes that the secondary identifier ever changes. As this finding came from the HR cloud provider, not the researcher, it was not submitted to Google as part of the bug report. Google says that if it ever sees evidence that the secondary identifier is untrusted, the company will address it.
Google changes its mind
But Google also commented on how important this issue was. At first, Google completely dismissed Ayrey’s bug, immediately closing the ticket and saying it wasn’t a bug but a matter of “fraud.” Google wasn’t entirely wrong. This risk comes from hackers controlling domains and abusing email accounts they recreate through them. Ayrey did not dispute Google’s initial decision, calling it a data privacy issue where Google’s OAuth software worked as it should, even though users could still be harmed. “It’s not that cut and dry,” he said.
But three months later, just after his talk was accepted by ShmooCon, Google changed its mind, reopened the ticket, and paid Ayrey a $1,337 bonus. Something similar happened to him in 2021, when Google reopened his ticket after he gave a wildly popular talk about his findings at the Black Hat cybersecurity conference. Google even awarded Ayrey and his bug-finding partner, Allison Donovan, their third Security Researcher of the Year award prizes (plus $73,331).
Google has yet to issue a technical fix for the flaw, nor a timeline for when it might — and it’s unclear if Google will ever make a technical change to somehow address this problem. However, the company has updated documentation to tell cloud providers to use the secondary ID. Google also offers instructions to founders on how companies should properly shut down Google Workspace and prevent the problem.
Ultimately, Google says, the solution is for founders who shut down a company to make sure they properly shut down all their cloud services. “We appreciate Dylan Ayrey’s help in identifying the risks of customers forgetting to delete third-party SaaS services as part of their decommissioning,” the spokesperson said.
Ayrey, a founder himself, understands why many founders may not have ensured their cloud services were turned off. Closing a company is actually a complicated process done during an emotionally painful time – involving many items, from disposing of employees’ computers, closing bank accounts and paying taxes.
“When the founder has to deal with shutting down the company, they’re probably not in a good position to think about all the things they need to think about,” Ayrey says.
