Comment by paxys

Comment by paxys 4 days ago

9 replies

View on Hacker News

It's crazy just how little effort it takes to get a "Google = bad" article to the top of HN.

There is no vulnerability in Google OAuth. This is exactly how every OAuth server is supposed to work. If you take over a domain, you automatically own every email address in that domain, and thus whatever external account relies on that email for login. Heck the result would be the same even if that service didn't use Google OAuth, or any OAuth at all.

Nothing in that write-up makes sense.

jeroenhd 3 days ago

> If you take over a domain, you automatically own every email address in that domain, and thus whatever external account relies on that email for login

Actually, if both sides implement OIDC+OAuth2 correctly, you don't. The subject claim (`sub`) of the attached Google account doesn't get reused when a new owner re-registers the domain with Google.

The article claims that the supposedly immutable `sub` field changes too often, though, and that would be a problem Google needs to fix. The source is an unnamed developer mentioned at https://youtu.be/yIutY_X2FcU?t=20617 who encounters issues with custom domain users, with the `sub` field changing weekly in some cases.

Sure, you can create new accounts when you take over a domain and even fake all the old accounts if you have a list somewhere, but you shouldn't be able to access all of the accounts authenticated with OIDC unless you break into the Google Workspace account.

Reply View 0 replies
walrus01 4 days ago

Yes, this about sums it up. If you take over a domain, you control its registrar records for what its authoritative nameservers are, so of course you can set it to your own custom nameservers and then define whatever MX you want to receive incoming mail flow. You don't even have to go to any effort of configuring working outbound mail. You just need to put up a very minimal zonefile with the MX defined, basic postfix email server with a catchall configuration and then receive any incoming emails for *@domain.com.

Reply View 0 replies
chis 4 days ago

Is this really just google=bad, though? I work at a startup and this seems like a legit security risk that I'm happy to learn about.

It seems like the only mitigation would be to let your HR SAAS know when your company shutters and ask them to delete the records. Or just squat the domain yourself as an ex-employee.

Reply View 2 replies
  • paxys 4 days ago

    Yes it is, otherwise the title would be "don't use your email address to log in to any application" and it wouldn't be ragebait enough. The whole issue has nothing to do with OAuth and nothing to do with Google.

    Reply View 0 replies
  • stevage 3 days ago

    Mast domains aren't that expensive. Can a startup just buy 10 years of peace of mind in its dying days?

    Reply View 0 replies
okdood64 4 days ago

It's crazy that they do that only because "Google search bad now" or "Youtube bad now".

Reply View 0 replies
dml2135 4 days ago

I think part of the issue is that this is where the abstraction that we call "account ownership" starts to leak.

You may correctly have access to an account through this scenario, but that does not make it your account. This becomes obviously when we consider an account at a bank, for example.

Reply View 0 replies
bitpush 4 days ago

The staying power of a Google = bad article on HN top page is insane.

Reply View 1 reply
  • lysace 4 days ago

    And the opposite: The half-life of an Apple = bad article on HN is insane in the other direction.

    Reply View 0 replies