As if losing your job when your startup collapses isn’t bad enough, now security researchers are finding that employees at failed startups are at particular risk of having their data stolen. These range from private Slack messages to Social Security numbers and, possibly, bank accounts. The researcher who discovered the problem is Dylan Ayrey, co-founder and CEO of Andreessen Horowitz-backed Truffle Security. Ayrey is best known as the creator of the popular open source project TruffleHog, which helps watch for data leaks if bad actors get hold of identity login tools (ie, API keys, passwords, and tokens). Ayrey is also a rising star in the bug-hunting world. Last week at the ShmooCon security conference, he gave a talk about a flaw he found with Google OAuth, the technology behind “Sign in with Google,” which people can use instead of passwords. Ayrey gave the talk after reporting the vulnerability to Google and other companies that may have been affected and were able to share the details because Google did not ban the bug hunters from talking about their findings. (Google’s decade-old Project Zero, for example, often shared flaws found in products of other tech giants like Microsoft Windows.) They found that when malicious hackers bought dead domains from failed startups, they could use them to log in. to cloud software configured to allow every employee in the company to have access, such as company chat or video applications. From there, many of these apps offer company directories or user info pages where hackers can find former employees’ original emails. Armed with that domain and email, hackers can use the “Sign in with Google” option to access many of the startup’s cloud software applications, often finding more employees’ emails. To test the flaws he discovered, Ayrey bought a failed startup domain and from there was able to log into ChatGPT, Slack, Notion, Zoom, and an HR system that contained Social Security numbers. “That’s probably the biggest threat,” Ayrey told TechCrunch, because data from cloud HR systems is “the easiest to monetize, and Social Security numbers and banking information and anything else that’s in the HR system could potentially be a target.” .He said that old Gmail or Google Docs accounts created by employees, or any data created with Google applications, are not at risk, and Google confirmed that while companies that fail with domains that can be sold, startup employees are especially vulnerable startups tend to use Google apps and many cloud software to run business. Tens of thousands of former employees are at risk, as well as millions of SaaS software accounts. This is based on research that found 116,000 websites available for sale from failed tech startups in the OAuth configuration that should prevent the risks outlined by Ayrey, if SaaS cloud providers use it. This is called a “sub-identifier,” which is a series of numbers unique to each Google account. While an employee may have multiple email addresses associated with their work Google account, each account should have only one sub-identifier. If configured, when an employee logs into their cloud software account using OAuth, Google will send their email address and sub-identifier to identify that person. So, even if a malicious hacker recreates an email address with domain control, it is unlikely that they will be able to recreate the identifier. But Ayrey, working with one of the affected HR SaaS providers, found that this identifier was “unreliable,” as he put it, meaning that the HR provider found that the change in percentage was very small: 0.04%. There may be statistics close to zero, but for HR providers who handle many users every day, that adds up to hundreds of failed logins every week, locking people out of their accounts. That’s why these cloud providers don’t want to use Google’s sub-identifier, Ayrey said. Google denied that the sub-identifier would change. Because this finding came from an HR cloud provider, not a researcher, it was not sent to Google as part of a bug report. Google says that if it sees evidence that sub-identifiers are unreliable, the company will address them. Google changed its mind But Google also flip-flopped on how important this problem is at all. First, Google dismissed the Ayrey bug entirely, immediately closing the ticket and saying it wasn’t a bug but a “fraud” issue. Google is not entirely wrong. This risk comes from hackers taking control of the domain and misusing email accounts that have been recreated. Ayrey wasn’t upset with Google’s initial decision, calling it a data privacy issue where Google’s OAuth software works even though users could still be harmed. “That’s not cut and dry,” he said. But three months later, after his talk was accepted by ShmooCon, Google changed its mind, reopened the ticket, and paid Ayrey a $1,337 prize. Something similar happened to him in 2021 when Google reopened his ticket after he spoke about his findings at the Black Hat cybersecurity conference. Google even awarded Ayrey and bug-finding partner Allison Donovan the third prize in its annual security researcher awards (along with $73,331). Google hasn’t published a technical fix for the flaw, or a timeline for when it might be available — and it’s unclear if Google will make any technical changes to address this issue. The company, however, updated its documentation to tell cloud providers to use sub-identifiers. Google also offers instructions to founders on how companies should properly disable Google Workspace and prevent these problems. Ultimately, Google says, the fix is for founders who shut down their companies to properly shut down all of their cloud services. “We appreciate Dylan Ayrey’s help in identifying the risk stemming from customers forgetting to remove third-party SaaS services as part of their operations,” said the spokesperson. Ayrey, a founder himself, knows why many founders might not warrant cloud services being turned off. Shutting down a company is actually a complicated process that takes place over a period of time that can be emotionally painful – it involves many things, from disposing of employees’ computers, closing bank accounts, to paying taxes. “When the founders have to deal with shutting the company down, they are probably not in a big head space to be able to think about everything they need to think about,” Ayrey said.
