Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
As if losing your job when your startup goes under isn’t bad enough, now a security researcher has found that employees working at failed startups are at risk of having their data stolen. This ranges from their private Slack messages to their Social Security numbers and potentially their bank accounts.
The researcher who discovered the problem is Dylan Ayrey, co-founder and CEO of Truffle Security, an Andreessen Horowitz-backed startup. Ayrey is best known as the creator of the popular open source project TruffleHog, which helps track data leaks when bad guys get access to identity tools (ie, API keys, passwords, and tokens).
Ayrey is also a rising star in the bug hunting world. Hours last week ShmooCon security conferencehe talked about a flaw he discovered in Google OAuth, a “Sign in with Google” technology that people can use instead of a password.
Ayrey came forward after notifying Google and other potentially affected companies of the vulnerability and was able to share its details because Google does not prohibit bug hunters from talking about their findings. (Google’s decade-long Project Zero(for example, Microsoft often demonstrates the flaws it finds in other tech giants’ products, such as Windows.)
He found that if malicious hackers obtained the failed startup’s canceled domains, they could use them to access cloud software configured to give access to every employee in the company, such as a company chat or video app. From there, many of these programs offer company directories or user information pages where a hacker can find actual emails of former employees.
Armed with the domain and those emails, hackers could use the “Sign in with Google” option to access many of the startup’s cloud software applications, often finding more employee emails.
To test the flaw he found, Ayrey took a failed startup domain and was able to log into an HR system that included ChatGPT, Slack, Notion, Zoom, and Social Security numbers.
“That’s probably the biggest threat,” Ayrey told TechCrunch, because data from a cloud HR system “is the easiest way for them to make money, and Social Security numbers, bank information, anything that’s in HR systems is probably very “maybe” should be targeted. He said old Gmail accounts or Google Docs created by employees or any data created with Google apps are not at risk, and Google has confirmed that.
While any failed company with a domain for sale can be a victim, startup employees are especially vulnerable because startups use Google apps and multiple cloud applications to run their businesses.
Ayrey estimates that tens of thousands of former employees, as well as millions of SaaS software accounts, are at risk. This is based on research that revealed 116,000 website domains from failed tech startups currently available for sale.
Prevention is possible, but not perfect
Google actually has the technology to avoid the risks mentioned by Ayrey if it uses a SaaS cloud provider in its OAuth configuration. This is called an “alt identifier,” which is a series of numbers unique to each Google account. Although an employee can have more than one email address attached to a work Google account, the account should always have only one sub-id.
If configured, when an employee goes to sign in to a cloud app account using OAuth, Google will send both an email address and an alt ID to identify the person. So malicious hackers should not be able to recreate these IDs even if they recreate email addresses with domain control.
But Ayrey, who works with an affected SaaS HR provider, found that this identifier was, as he called it, “unreliable,” meaning the HR provider found it changed by a very small percentage: 0.04%. It may be statistically close to zero, but for an HR provider managing a large number of daily users, it adds up to hundreds of failed logins every week, locking people out of their accounts. That’s why the cloud provider didn’t want to use Google’s alt identifier, Ayrey said.
Google objects that the sub-id is always changing. This finding was not reported to Google as part of a bug report because it came from an HR cloud provider, not a researcher. Google says that if it sees evidence that the sub-identifier is invalid, the company will address it.
Google is changing its mind
But Google also made it clear how important this issue is. At first, Google completely denied Airey’s mistake, immediately closing the ticket and saying it was a “fraud” issue, not a bug. Google wasn’t entirely wrong. This risk is due to hackers taking control of the domains and abusing the email accounts they recreate through them. Ayrey didn’t begrudge Google’s initial decision, calling it a data privacy issue where Google’s OAuth works as intended, even though users can still be compromised. “It’s not cut and dry,” he said.
But three months later, just after his talk was accepted by ShmooCon, Google changed its mind, reopened the ticket and awarded Ayre $1,337. Something similar happened in 2021, when Google reopened its ticket after giving a wildly popular talk about its findings at the Black Hat cybersecurity conference. Google even awarded Ayrey and his bug-finding partner, Allison Donovan, the third prize in their annual security researcher awards (including $73,331).
Google has yet to provide a timeline for when a technical fix for the flaw might be available — and it’s unclear if Google will ever issue a technical change to address the issue. However, the company has reinvented itself documents telling cloud providers to use a sub-id. Google also offers it instructions to founders on how companies can properly close Google Workspace and how to prevent the problem.
Finally, Google says the fix is for founders closing a company to make sure they’ve properly closed all cloud services. “We appreciate Dylan Ayrey’s assistance in identifying the risks posed by customers forgetting to remove third-party SaaS services as part of opting out of their transactions,” the spokesperson said.
Founder Ayrey himself understands why many founders fail to ensure cloud services are passive. Closing a company is actually a complicated process done at an emotionally painful time—it involves many things, from throwing away employees’ computers, closing bank accounts, and paying taxes.
“When a founder has to deal with shutting down a company, they’re probably not in a big hood to think about everything they need to think about,” Ayrey says.
