Dead Google Apps Domains Can Be Compromised By New Owners

An anonymous reader quotes a report from Ars Technica: Lots of startups use Google's productivity suite, known as Workspace, to handle email, documents, and other back-office matters. Relatedly, lots of business-minded webapps use Google's OAuth, i.e. "Sign in with Google." It's a low-friction feedback loop -- up until the startup fails, the domain goes up for sale, and somebody forgot to close down all the Google stuff. Dylan Ayrey, of Truffle Security Co., suggests in a report that this problem is more serious than anyone, especially Google, is acknowledging. Many startups make the critical mistake of not properly closing their accounts -- on both Google and other web-based apps -- before letting their domains expire.

Given the number of people working for tech startups (6 million), the failure rate of said startups (90 percent), their usage of Google Workspaces (50 percent, all by Ayrey's numbers), and the speed at which startups tend to fall apart, there are a lot of Google-auth-connected domains up for sale at any time. That would not be an inherent problem, except that, as Ayrey shows, buying a domain allows you to re-activate the Google accounts for former employees if the site's Google account still exists.

With admin access to those accounts, you can get into many of the services they used Google's OAuth to log into, like Slack, ChatGPT, Zoom, and HR systems. Ayrey writes that he bought a defunct startup domain and got access to each of those through Google account sign-ins. He ended up with tax documents, job interview details, and direct messages, among other sensitive materials. A Google spokesperson said in a statement: "We appreciate Dylan Ayrey's help identifying the risks stemming from customers forgetting to delete third-party SaaS services as part of turning down their operation. As a best practice, we recommend customers properly close out domains following these instructions to make this type of issue impossible. Additionally, we encourage third-party apps to follow best-practices by using the unique account identifiers (sub) to mitigate this risk."

How do I get them to stop

[fropenn]

asking me to "sign in with Google"? I do not want to sign in with Google. Ever. Go away annoying pop-up!!!

Re:

[thegarbz]

That's not up to you, that's up to the website you're visiting. They are the ones who partnered with Google and are running Google's sign-in script. Do an ironic google search to find out what you need to add as a custom filter to your ublock or whatever else you use to block scripts.

If I read Google's response correctly

[ebunga]

It's the former customer's fault. Did you see the clothes they were wearing?

Re: If I read Google's response correctly

[Z00L00K]

The former customer if 6 feet under but their data is a zombie.

Re:

[thegarbz]

Well it sort of is. They are stuck between a rock and a hard place here. What do your recommend Google take a policy of delete first and ask questions later without the ability to recover your previous auth tokens? Can you imagine the potential chaos that would cause in an organisation if someone lets a domain lapse?

Re:

[mysidia]

Can you imagine the potential chaos that would cause in an organisation if someone lets a domain lapse

It absolutely already causes chaos if an org lets their domain lapse. Someone in executive Management needs to be fired immediately if a company's corporate email domain is allowed to expire; As that creates a huge number of issues aside from this catastrophic one of Tax Documents and social security numbers being leaked to cybercriminals and other opportunists.

What do your recommend Google take a policy

No different than any other

[Local ID10T]

It is the downside of domain re-use. They are used as identifiers, but are not unique if they can be re-used.

Re:

[mysidia]

That is true, but the quick reuse apparently causes a problem.

My suggestion would be that ICANN changes the redemption period to 1 year and make it a mandatory cooling off period before any kind of recycling and re-use of a domain is allowed. There is currently a 90-day redemption period, But domain registrars often cheat the system by "Auctioning off" expiring domain names at the expiration date and transferring them directly which causes a New party to get the domain without the domain name ever

Can do the same with email

[viperidaenz]

You can "Forgot my password" if you know what the old email addresses were, which can be found by the marketing emails and spam that are probably still being sent.

Re:

[Entrope]

Yeah, the fundamental failing is that companies don't delete data when they shut down. This is only slightly less obvious than selling computers from a dead company without wiping the hard drives.

Re:

[mysidia]

Apparently the companies no longer care at this point... Because: What are you going to do If they leak a trove of data for criminals to injure with.. sue them? They're a failed startup. You can sue and win, but there will be no money to pay you.

I don't know, But I guess we need to get some legislation passed that says the cloud service providers (Such as Google) become secondarily liable And any attempt to discharge or require arbitration against their liability is void for the full amount of

Re:

[jsonn]

At least in the EU, I'm pretty sure you can go after the officers and owners personally for gross neglect.

Re:

[Z00L00K]

With later versions of Windows companies don't have to care because Bitlocker is on by default on client computers so the only devices left that might contain some information to leak are the servers.

Duh

[Revek]

I bought my old dial up ISP domain several years ago when the company that bought the ISP sold it. I've kept it and lately I put it on a mx host. They almost immediately emailed me and asked me what had happened to it. I put a catch all bucket in place for a week and after more than a decade it still receives huge amounts of spam. It also receives tons of legitimate email. mobile accounts and such. How anyone could go over decade without updating their account information is beyond me. If I hadn't bought it some lowlife would have exploited those fools a long time ago.

Re:

[thegarbz]

How anyone could go over decade without updating their account information is beyond me.

People often don't know. The internet is full of zombie accounts for things which aren't used anymore. Only recently we were reminiscing about a forum I used to frequent with a friend. I haven't visited that website in 20 years. TWO WHOLE DECADES. My indifference to that old place is old enough to vote. My last post was in October 2004. Yet I logged in. Not only did it work... I still had admin privileges. We were joking about making a point of security by giving everyone a 1 day ban and seeing if they revi

Re:

[Revek]

You would think in all that time they would have been asked for updated information. Unless they have never called their mobile carrier or upgraded their device

I have a hotmail account that is shall we say a flippant statement and seems to get accounts created with it on sites that don't force email verification. I take them over and shut them down. I was threatened by one of the fools as they had spent some money on some weird russian online gambling site.

Re:

[vrhelmutt]

I did the same thing for my childhood regional ISP and some of the emails are *chef's kiss*

Maybe Workspace accounts need a different p key?

[ctilsie242]

Time for Google to consider accounts and workspaces to have a different primary key than domains?

Perhaps Workspace accounts need to be keyed to something like a unique ID, so if foo.com has one Google Workspace account, then for some reason, validation checks and another Google Workspace account is created, there is some way to ensure that the accounts can't be accessed from the wrong parties?

Maybe Google needs to look at locking old Workspace instances, where if the new owner of a domain proves ownership (