Taking Over Millions of Accounts from Abandoned Startups
Dylan Ayrey
ShmooCon XX (Final) · Day 2 · Bring It On
This talk, presented by Dylan Ayrey at ShmooCon, exposes a critical vulnerability in the widespread "Login with Google" **OAuth** implementation that allows attackers to take over millions of user accounts associated with defunct startups. Ayrey demonstrates how, by acquiring the expired domain of a failed company, an attacker can effectively impersonate former employees and gain unauthorized access to their accounts on various third-party services that relied on Google for authentication. The core issue stems from how service providers identify users through Google's OAuth claims, which prove insufficient when a domain changes ownership.
AI review
This talk exposes a critical and widespread vulnerability stemming from Google OAuth's reliance on unstable identifiers combined with the lifecycle of defunct startup domains. The speaker, Dylan Ayrey, meticulously demonstrated how an attacker can acquire abandoned startup domains, register a new Google Workspace, and then leverage existing "Login with Google" integrations to take over millions of employee accounts, including access to sensitive HR data like W2s and Social Security numbers. The research is original, impactful, and highlights a significant unpatched issue that Google…