Millions of Americans can have their data stolen right now because of a deficiency in Google’s “Sign in with Google” authentication flow. If you’ve worked for a startup in the past - especially one that has since shut down - you might be vulnerable.
Usually the flaw us on the service provider side when using only email address for SSO. Typically the idp will provide a sub claim which is unique to the account and independent of email.
I see the article mentions this sub as having as an unreliable claim value. I can’t dispute that experience, but have not observed it personally. Though my experience is on a much smaller system.
Usually the flaw us on the service provider side when using only email address for SSO. Typically the idp will provide a sub claim which is unique to the account and independent of email.
I see the article mentions this sub as having as an unreliable claim value. I can’t dispute that experience, but have not observed it personally. Though my experience is on a much smaller system.