Crooks Bypassed Google's Email Verification to Create Workspace Accounts, Acces

Show context

nottorp ◴[27 Jul 24 08:43 UTC] No.41085277[source]▶

So if you own example.com and use bigboss@example.com as log in to greatonlinegame.com ...

Someone can register example.com with google workspace and then they can use "login with google" to log in to your bigboss@example.com account at greatonlinegame.com, even though your account did not use "login with google".

Did i get it right?

And if i did, i wonder...

Why aren't these logins separate on greatonlinegame.com? If I did it i'd allow a login only by the method that was used to create the account, unless the user configures it otherwise.

replies(3): >>41086865 #>>41087234 #>>41088500 #

swid ◴[27 Jul 24 15:37 UTC] No.41087234[source]▶

>>41085277 #

According to spec, when someone uses oauth to try and log into an existing account for the first time, you must require the user to login through their normal method and then prompt them to link the login account.

However, the identity provider cannot force you to do that, and there are many examples of apps which do not follow this part of the spec.

replies(1): >>41087973 #

tnzk ◴[27 Jul 24 17:17 UTC] No.41087973[source]▶

>>41087234 #

Curious, which part in RFC 6749 do you refer to or other ones?

replies(1): >>41088333 #

swid ◴[27 Jul 24 18:13 UTC] No.41088333[source]▶

>>41087973 #

I could have sworn I have seen this in the past, but I am not sure exactly where. Thinking about it; it probably would have been part of OIDC and not directly addressed by OAuth... maybe someone can find it for me, or maybe I misspoke when I said it was part of the spec.

replies(1): >>41088482 #

hirsin ◴[27 Jul 24 18:45 UTC] No.41088482[source]▶

>>41088333 #

I could believe that being in 2.1 as a BCP,but if it's not it's a good idea to add it.

replies(2): >>41091204 #>>41092112 #