←back to thread

Crooks Bypassed Google's Email Verification to Create Workspace Accounts, Acces

(krebsonsecurity.com)
193 points todsacerdoti | 9 comments | 26 Jul 24 21:34 UTC | HN request time: 2.843s | source | bottom
1. nottorp ◴[27 Jul 24 08:43 UTC] No.41085277[source]
So if you own example.com and use bigboss@example.com as log in to greatonlinegame.com ...

Someone can register example.com with google workspace and then they can use "login with google" to log in to your bigboss@example.com account at greatonlinegame.com, even though your account did not use "login with google".

Did i get it right?

And if i did, i wonder...

Why aren't these logins separate on greatonlinegame.com? If I did it i'd allow a login only by the method that was used to create the account, unless the user configures it otherwise.

replies(3): >>41086865 #>>41087234 #>>41088500 #
2. haakon ◴[27 Jul 24 14:34 UTC] No.41086865[source]
Your understanding is correct. It happened to me; someone made a Workspace for a domain name I own, and made a user on that workspace to match an email address I have on that domain, and then used "Sign in with Google" on Dropbox. Luckily I don't use Dropbox, so instead of gaining access to my files there, it just resulted in a new Dropbox account being created.

I noticed all this, of course, because I got email notifications for all of it.

3. swid ◴[27 Jul 24 15:37 UTC] No.41087234[source]
According to spec, when someone uses oauth to try and log into an existing account for the first time, you must require the user to login through their normal method and then prompt them to link the login account.

However, the identity provider cannot force you to do that, and there are many examples of apps which do not follow this part of the spec.

replies(1): >>41087973 #
4. tnzk ◴[27 Jul 24 17:17 UTC] No.41087973[source]
Curious, which part in RFC 6749 do you refer to or other ones?
replies(1): >>41088333 #
5. swid ◴[27 Jul 24 18:13 UTC] No.41088333{3}[source]
I could have sworn I have seen this in the past, but I am not sure exactly where. Thinking about it; it probably would have been part of OIDC and not directly addressed by OAuth... maybe someone can find it for me, or maybe I misspoke when I said it was part of the spec.
replies(1): >>41088482 #
6. hirsin ◴[27 Jul 24 18:45 UTC] No.41088482{4}[source]
I could believe that being in 2.1 as a BCP,but if it's not it's a good idea to add it.
replies(2): >>41091204 #>>41092112 #
7. shreddit ◴[27 Jul 24 18:49 UTC] No.41088500[source]
Take superbase for example. If you allow multiple oauth providers accounts get automatically linked if they use the same email address. That’s bugging me since day one…
8. ◴[28 Jul 24 04:24 UTC] No.41091204{5}[source]
9. tnzk ◴[28 Jul 24 09:16 UTC] No.41092112{5}[source]
I've checked 2.0 Security BCP, 2.1 draft and OIDC and none of them seemed to cover that. Perhaps I could be in ongoing discussion in the mailing list of 2.1? I only checked their GitHub issues and found nothing relevant.