Comment by grumple

Comment by grumple 3 days ago

0 replies

View on Hacker News

I mean, I see why it happens. It's because the client uses the email as the identifier for login - it is the only shared identifier between Google and Slack (or whatever service) to connect accounts. Sure, you could argue that maybe this is ok for the initial login, but the client app should record the sub...

Note that for regular logins without Oauth, you still have this vulnerability - if you gain control of me@company.com, you can login to any site that uses that for login. This is a fundamental weakness in the way we handle domain registration and email addresses.