←back to thread

Crooks Bypassed Google's Email Verification to Create Workspace Accounts, Acces

(krebsonsecurity.com)
193 points todsacerdoti | 1 comments | 26 Jul 24 21:34 UTC | HN request time: 0.484s | source
Show context
nottorp ◴[27 Jul 24 08:43 UTC] No.41085277[source]
So if you own example.com and use bigboss@example.com as log in to greatonlinegame.com ...

Someone can register example.com with google workspace and then they can use "login with google" to log in to your bigboss@example.com account at greatonlinegame.com, even though your account did not use "login with google".

Did i get it right?

And if i did, i wonder...

Why aren't these logins separate on greatonlinegame.com? If I did it i'd allow a login only by the method that was used to create the account, unless the user configures it otherwise.

replies(3): >>41086865 #>>41087234 #>>41088500 #
1. shreddit ◴[27 Jul 24 18:49 UTC] No.41088500[source]
Take superbase for example. If you allow multiple oauth providers accounts get automatically linked if they use the same email address. That’s bugging me since day one…