Full Report
Improperly winding down a Google Apps domain can leave logins accessible.
Analysis Summary
# Vulnerability: Compromise of Services via Reclaimed Google Workspace Domains
## CVE Details
- CVE ID: Not explicitly mentioned in the article. This appears to be a configuration/process flaw rather than a software bug patched via a specific CVE.
- CVSS Score: Not calculable as no specific CVE or formal severity rating is provided. **High Risk** based on implication of unauthorized access to business systems.
- CWE: CWE-305 (Improper Cleanup of Resources), CWE-276 (Improper Control of Resource Lifetime)
## Affected Systems
- Products: Google Workspace (formerly Google Apps), and any third-party SaaS applications (e.g., Slack, ChatGPT, Zoom, HR systems) that use the organization's Google domain accounts for OAuth authentication ("Sign in with Google").
- Versions: Any configuration where a Google Workspace domain is canceled/allowed to expire without explicitly deleting all associated user accounts *and* where those accounts were used to authenticate to third-party services.
- Configurations: Startups or organizations that fail to completely shut down their Google Workspace accounts following business closure, allowing the domain to lapse or be purchased by a new entity.
## Vulnerability Description
When a startup or organization using Google Workspace ceases operations, they often fail to properly delete all associated user accounts before letting the domain expire or abandoning the service. Google's documentation suggests that canceling the Workspace subscription "doesn't remove user accounts," which remain active until the organization's primary Google account is deleted.
If the domain is acquired by a new entity, that new owner can reactivate the defunct Google account structure associated with that domain. This allows the new owner to gain administrative control over dormant legacy Google accounts that may still be linked via OAuth to various third-party services (like Slack, Zoom, etc.) used by the original employees. The attacker, now controlling these legacy identities, can use "Sign in with Google" on these third-party platforms to gain unauthorized access to sensitive data stored within those external services (e.g., tax documents, DMs, job interview details).
## Exploitation
- Status: Proof of Concept (PoC) demonstrated by researcher Dylan Ayrey who successfully purchased a defunct domain and accessed associated third-party accounts. **Exploited in the wild** via domain acquisition post-failure.
- Complexity: Low (Requires ownership of the expired domain name).
- Attack Vector: Network (Relies on domain ownership and pre-existing OAuth trust relationships).
## Impact
- Confidentiality: High (Access to internal documents, DMs, and sensitive data on linked third-party platforms).
- Integrity: Medium (Ability to modify or delete data on linked third-party platforms).
- Availability: Low (Primary impact is data exposure, not service denial, though integrity compromise could lead to availability loss).
## Remediation
### Patches
- No specific software patch available as this is a process/configuration failure. The onus is on the terminating organization and cooperation from Google/third parties.
### Workarounds
1. **Terminating Organizations:** Must follow Google's official procedure for canceling a domain-verified subscription, ensuring that **all user accounts are explicitly deleted** before the domain is abandoned. (Google refers to instructions found here: `support.google.com/a/answer/1257646`)
2. **Terminating Organizations (Account Deletion):** Ensure the overarching Google account associated with the organization is fully deleted, as canceling the subscription alone leaves user accounts active. (See Google documentation: `support.google.com/a/answer/9468554`)
3. **Third-Party Applications:** Vendors are encouraged to mitigate risk by using unique account identifiers (subscribers) instead of relying solely on the domain email address for authentication links.
## Detection
- Indicators of Compromise: New, unexpected administrative activity originating from previously defunct Google Workspace email addresses on linked third-party services.
- Detection Methods and Tools: Organizations should audit integrated third-party applications for any active user accounts linked to domains that have been recently deregistered or sold. Monitoring for login attempts from formerly associated but unauthorized identities is crucial.
## References
- Vendor Advisory: Google Spokesperson provided comment referencing best practices for domain cancellation: `support.google.com/a/answer/1257646` (defanged)
- Research/Report: Truffle Security Co. report detailing the flaw: `trufflesecurity.com/blog/millions-at-risk-due-to-google-s-oauth-flaw` (defanged)
- News Source: Ars Technica reporting on the "Startup Necromancy" issue.