On December 16th Truffle Security disclosed a Google OAuth vulnerability that allows employees, even after leaving a company, to retain access to applications like Slack and Zoom. The vulnerability arises from the ability to create Google accounts where the email address has the domain of the corporate organization but does not actually belong to that organization. This poses a risk to organizations, service providers like Zoom and Slack, and Google itself.
How does it work?
1. First, the user must have an account in your corporate Google workspace, such as email@example.com
2. Then the user creates a new personal Google account, using their existing email, but they add “+something” to the user name part of the email, eg. firstname.lastname@example.org. Because Google will essentially ignore anything after the + in an email address, the user will be able to receive all the verification emails in their corporate inbox. (They need to do this in advance of leaving the organization.)
User must click “Use your existing email” and use the alias email@example.com
3. Now the user can use this google account to sign into 3rd party apps under the corporate domain. This is possible because many of these 3rd party apps only verify that the domain part of the email used when logging into the account is a known corporate account. (firstname.lastname@example.org ⇒ domain = example.com)
Was YeshID Affected?
No, users attempting to use this technique to log into YeshID would not be successful.
- If your organization has tools to perform an email search (such as the Security Center Investigation Tool in Google Workspace), look for emails sent to addresses containing your domain and a “+” symbol to detect these shadow account creations.
- Review the user lists in the applications your organization uses to look for accounts with email addresses containing a “+” symbol to detect users who may have exploited this vulnerability.
- If your organization uses applications that allow any user to sign in as long as they are from your domain, consider disabling that feature. For example, in Slack: https://slack.com/help/articles/115004856503-Manage-how-people-join-your-workspace
- Switch the application to use SAML for SSO if possible