Summary
A vulnerability in Google OAuth allows employees to retain indefinite access to applications like Slack and Zoom after being removed from their company's Google organization. The issue stems from the ability to create Google accounts using corporate email aliases, which can't be off-boarded by the organization. This bypasses typical account removal processes and poses a significant security risk.
Affected Services
OAuth, Slack, Zoom
Remediation
Organizations should disable login with Google and strictly enforce SAML authentication. Service providers should use the HD claim instead of email for authentication and implement invite-only or LDAP group-only account provisioning.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/korniko98
Entry Status
Stub (AI-Generated)
Disclosure Date
Fri, Aug 4th, 2023
Exploitablity Period
Until 2023/12/15
Known ITW Exploitation
-
Detection Methods
Organizations can audit their Google organization settings and check for any non-Gmail Google accounts using corporate email addresses. Service providers can review their OAuth implementation to ensure they're not relying solely on the email claim for authentication.
Piercing Index Rating
-
Discovered by
Dylan Ayrey, Truffle Security Co.
