- cross-posted to:
- [email protected]
You must log in or register to comment.
TL;DR: If you had a Google account on a non-Google domain, an attacker can buy the domain and make new accounts with the same usernames. Those are new accounts as far as Google is concerned, but they will be treated the same for SSO on other platforms.
If you know the cloud-based HR platform a dead company used and the username of their HR person, you can log in and see all employee records and personal details.
I still can’t comprehend how Google used just the mail address or domain for their SSO
I would have expected something like a hash over mail address and password + salt or something, so a new registrar would have a different hashJust using the date of registration in the hash would have been mitigating this stuff - or do I miss something?
Usually the flaw us on the service provider side when using only email address for SSO. Typically the idp will provide a sub claim which is unique to the account and independent of email.
I see the article mentions this sub as having as an unreliable claim value. I can’t dispute that experience, but have not observed it personally. Though my experience is on a much smaller system.
