In this web content, the author discusses a vulnerability in Google’s OAuth system that allows employees to retain access to applications like Slack and Zoom even after they are removed from their company’s Google organization. The vulnerability is easy to understand and exploit. Google has not taken any steps to mitigate this risk yet. The author provides a timeline of events related to the disclosure of this vulnerability. The author also highlights the surprising fact that Google advises against using email as an identifier in their OIDC documentation. Additionally, the author explains how non-Gmail Google accounts can be created and used to send email claims. The author discusses the implications of this vulnerability and suggests remediations for organizations, service providers, and Google. The author emphasizes the importance of addressing this security lapse and pushing Google to make necessary changes. No controversial information is present in the content.
https://trufflesecurity.com/blog/google-oauth-is-broken-sort-of/