"Millions of Accounts Vulnerable due to Google’s OAuth Flaw"
https://trufflesecurity.com/blog/millions-at-risk-due-to-google-s-oauth-flaw
I wonder if any other OAuth providers have similar issues and how they solve it.
#security #cybersecurity #infosec #oauth #googe
In any authentication scenarios that are claims based (SAML, OIDC/OAuth), it’s the responsibility of the app developers to select an immutable identifier claim but many developers will select email address (or a similar claim like upn) which relies on domain names that can be reused (thus not immutable).
So, this type of vulnerability likely exists in many apps regardless of the identity provider.
However, the problem here is that the identity provider doesn’t provide any consistent immutable identifiers for the app developers to have chosen.
Most apps will be fixed only after google fixes this, so it’s not going away quickly.
