A newly disclosed Google OAuth vulnerability allows former employees to retain access to corporate resources like Slack and Zoom, even after suspending their corporate Google accounts. Here’s what it means for your SaaS security posture and how Nudge Security can help.
It’s a well-known work email hack: add “+string” to your work email address (e.g., alice+testing@example.com) and you can easily filter any unwanted marketing emails or create multiple different signups for a single app using your work email address.
However, this same trick can be used to create an entirely new Google account—one that looks like a corporate email address and forwards messages to it, but isn’t actually managed or even visible within your corporate Google organization.
This creates a big problem when it comes to offboarding employees. If a given “shadow Google account” were used to sign up for corporate SaaS accounts like Slack or Zoom using Google OAuth (i.e., “Sign in with Google”), that access could persist even after suspending the employee’s corporate Google account. Effectively, there’s no way for a Google administrator to see or suspend the shadow Google account from their admin console. This could leave a back door for unauthorized access by a former employee or threat actor by compromising the shadow account.
That’s the TL;DR of a Google OAuth vulnerability publicly disclosed by Truffle Security Co on Saturday, December 16, 2023.
While I won’t re-hash all of the details from Truffle Security’s excellent blog post (def. read it), it’s important to understand how this vulnerability could impact your SaaS security posture, which of your SaaS providers may have been affected, including Nudge Security, and how you can use Nudge Security to detect and respond to activities related to this vulnerability.
This vulnerability relates to how SaaS providers implement Google OAuth, which isn’t exactly obvious or intuitive. Buried in Google’s OIDC documentation, it advises against using a user’s email address as the primary identity for a user record in your SaaS application and using the HD claim instead.
However, many SaaS providers do this, including Slack and Zoom, as the Truffle Security blog post notes. The challenge for organizations is that there’s no obvious, apparent way to know which of their SaaS vendors may be impacted by this vulnerability—other than by reaching out to each SaaS provider directly.
Yes. Our implementation of OIDC follows the same pattern as the many other SaaS providers affected by this vulnerability. Today, we released an update to safeguard against this vulnerability. Nudge Security now validates the HD claim (host domain) as part of the account creation process.
It’s good to know that by default, Nudge Security uses a “request access” provisioning process for platform users, which the vast majority of our customers use. With this method, your Nudge Security administrator must first review and approve the access request to Nudge Security.
Following the disclosure of this vulnerability, we proactively investigated our customer environments and have found no evidence of accounts being created using this technique, apart from known testing accounts.
While no exploits of this vulnerability have been reported to date, the potential for exploit extends to unauthorized access, data exfiltration, and even full account takeover attacks. Consider a scenario wherein an employee creates a “shadow Google account” to sign up for a business SaaS application with administrative privileges. That shadow Google account, which is not protected or monitored by the organization’s security program, is later compromised, giving the threat actor full access the SaaS application and its data.
This vulnerability underscores the major shift that’s taken place in modern cybersecurity. Given that most organizations use hundreds of SaaS applications, many of which are administered by business users outside of IT, it’s a growing challenge for IT security teams to maintain visibility and control of who (and what) has access to corporate data and how. Organizations need visibility of SaaS identities and activities beyond (and in addition to) their centralized cloud identity provider or SSO solution.
So, how do you begin to address this vulnerability?
According to the Truffle Security post, “all you have to do is disable login with Google, and strictly enforce SAML. This actually works for most service providers, however some don’t offer this option, and you may also have some internally developed applications that are impacted and don’t support SAML.”
Unfortunately, this path isn’t practical for most organizations. As noted, it doesn’t fully address all SaaS applications that might be in use across the organization, as SAML support varies by SaaS provider.
Here’s how you can detect the creation of shadow Google accounts from the Google admin console. Note: You may need an enterprise license to access the Security Center.
Nudge Security also detects the creation of shadow Google accounts through our patented SaaS discovery method. Whenever a new Google account is created using the method described above (e.g., alice+testing@example.com), the email verification is sent to the primary email address.
Nudge Security discovers these email events as part of our powerful email analysis, so you can discover these activities, in the past and as they occur.
To review shadow Google accounts in Nudge Security, navigate to the Apps dashboard. Find your Google Workspace application. Navigate to Resources, and filter by Account Alias. Here, you’ll see a list of all the shadow Google accounts created using your domain.
Update: Tuesday, December 19, 2023
We recently enabled a new default notification rule to alert on these types of events. Current and new customers will start receiving alerts immediately with no action required.
We’ll continue to update this blog as we learn more, and we’ll share additional updates via X and LinkedIn.
If you’re not yet a Nudge Security customer, you can start a free 14-day trial and review your organization’s shadow Google accounts right away. Our trial will also allow you to see every cloud and SaaS asset created by your workforce and review all OAuth grants and scopes between apps.
