Millions of Americans can have their data stolen right now because of a deficiency in Google’s “Sign in with Google” authentication flow. If you’ve worked for a startup in the past - especially one that has since shut down - you might be vulnerable.
I still can’t comprehend how Google used just the mail address or domain for their SSO
I would have expected something like a hash over mail address and password + salt or something, so a new registrar would have a different hash
Just using the date of registration in the hash would have been mitigating this stuff - or do I miss something?
Usually the flaw us on the service provider side when using only email address for SSO. Typically the idp will provide a sub claim which is unique to the account and independent of email.
I see the article mentions this sub as having as an unreliable claim value. I can’t dispute that experience, but have not observed it personally. Though my experience is on a much smaller system.
I still can’t comprehend how Google used just the mail address or domain for their SSO
I would have expected something like a hash over mail address and password + salt or something, so a new registrar would have a different hash
Just using the date of registration in the hash would have been mitigating this stuff - or do I miss something?
Usually the flaw us on the service provider side when using only email address for SSO. Typically the idp will provide a sub claim which is unique to the account and independent of email.
I see the article mentions this sub as having as an unreliable claim value. I can’t dispute that experience, but have not observed it personally. Though my experience is on a much smaller system.