The “Sign in with Google” feature is widely used across corporate services, offering a convenient authentication method backed by Google’s vast infrastructure. However, a recently uncovered vulnerability reveals a significant flaw: attackers can exploit abandoned domains to gain unauthorized access to corporate accounts.
This article explores how cybercriminals can use defunct company domains to infiltrate services such as Slack, Zoom, Notion, and HR systems—and what businesses can do to mitigate this risk.
How Google OAuth Authentication Works
When a user logs into a service using “Sign in with Google,” the authentication process generally involves verifying access to an email address associated with a corporate Google Workspace account. The key data shared during authentication includes:
- Email Address: The primary identifier used by most services.
- Domain Name: The organization’s registered domain.
- User ID (sub Parameter): A theoretically unique identifier assigned by Google.
Google recommends using the sub parameter as the unique authentication identifier. However, in practice, many services ignore this recommendation because the sub parameter can change for some users, causing authentication failures. Instead, companies often rely solely on email and domain verification, which is precisely where the vulnerability lies.
The Exploit: Taking Over Abandoned Domains
When a company shuts down and abandons its domain, it becomes available for anyone to register. An attacker can purchase the expired domain and create new email addresses under it—giving them the ability to exploit corporate accounts that still rely on Google OAuth for authentication.
Step-by-Step Attack Process:
- Purchase an abandoned company domain.
- Create an email address under the domain (e.g., john.doe@oldcompany.com).
- Use “Sign in with Google” on corporate services previously used by the company.
- Gain unauthorized access to data, employee records, internal communications, and HR platforms.
This method is alarmingly effective, as some services even display a list of legitimate users within an organization. With full control over the domain, an attacker can reconstruct an entire Google Workspace environment—posing a severe risk to confidential business data.
The Scope of the Threat: How Widespread is This Problem?
Dylan Ayrey, the cybersecurity researcher who uncovered this vulnerability, used Crunchbase data to identify over 100,000 defunct startups with expired domains available for purchase.
By testing the attack himself, Ayrey confirmed that he could successfully access corporate services such as Slack, Zoom, Notion, ChatGPT, and HR management systems using an abandoned domain.
Key Findings:
- Approximately 50% of startups use Google Workspace.
- The average startup has around 10 employees.
- This could mean hundreds of thousands of users and millions of vulnerable accounts.
Google’s Response: A Security Oversight
Ayrey reported the vulnerability through Google’s bug bounty program, proposing a long-term fix: creating truly permanent and unique Google account identifiers.
Initially, Google rejected the report, classifying it as “fraud or abuse” with a “no fix needed” response. However, after Ayrey presented his findings at a cybersecurity conference, Google reopened the report and awarded him a minimal $1337 bounty—the same amount he received for a previous Google OAuth vulnerability related to phantom accounts.
Google has since acknowledged the issue and promised a fix, but no clear timeline or technical solution has been disclosed.
The fundamental problem remains: Google OAuth relies heavily on email domain verification, making it vulnerable to domain takeovers.
How Companies Can Protect Themselves
Organizations can take proactive steps to mitigate this risk, even if Google doesn’t immediately implement a fix.
1. Avoid Over-Reliance on Google OAuth
- Use traditional username-password authentication instead of relying solely on Google sign-in.
- Always enable two-factor authentication (2FA) to add an extra security layer.
2. Prevent Domain Takeovers After Business Closure
- Do not abandon corporate service accounts. Instead, delete or deactivate them.
- Remove old Google Workspace accounts and deactivate email addresses before shutting down operations.
- Follow proper decommissioning procedures for corporate SaaS platforms.
3. Strengthen Authentication Protocols
- Businesses should ensure that third-party services using Google OAuth verify identities beyond just the email and domain name.
- Implement ID token verification with the sub parameter, as Google originally intended.
Conclusion: A Fix is Needed—But Companies Must Act Now
The Google OAuth vulnerability related to abandoned domains presents a significant security risk, particularly for organizations that shut down without properly deactivating accounts.
While Google has acknowledged the problem, the lack of a definitive solution means businesses must take responsibility for their own security.
By implementing stronger authentication methods, maintaining control over corporate accounts, and ensuring proper offboarding practices, organizations can protect themselves from domain-based cyberattacks.
Until Google rolls out a permanent fix, businesses cannot afford to rely on OAuth alone.
