The demise of a startup leads to various consequences, one of which is a cybersecurity issue that puts ex-employees at risk. Researchers have discovered that once vibrant tech companies, laid to rest following business failure, pose a data security threat to their former employees through neglected Google accounts.
Dylan Ayrey, CEO of Truffle Security and an acclaimed cybersecurity expert, was the first to unearth this problem. Ayrey, renowned for his contribution to the open-source project TruffleHog, discovered a vulnerability in Google’s OAuth. This is the technology that allows users to “Sign in with Google” in lieu of creating new passwords for other apps.
According to Ayrey, dormant domains of defunct startups are a breeding ground for cybercriminal activities. These cyber thugs leverage these domains to access cloud-based apps, previously accessed by every employee in the company. This practice often exposes employee’s detailed information exposing them to potential cybercrimes.
Ayrey’s research revealed that thousands of former employees and millions of SaaS accounts are susceptible to this risk. This is based on the 116,000 startup domains currently open for sale.
Google’s Imperfect Preventive Measure
In response to the concerns raised by Ayrey, Google asserts that they have implemented a “sub-identifier” feature in their OAuth configuration to improve security. This unique series of numbers, tied to each Google account, should technically prevent cybercrimes. However, Ayrey discovered that this feature was unreliable, resulting in frequent account lockouts.
A Shift in Google’s Stance
Initially, Google downplayed the issue, referring to it as a fraud concern rather than a technological bug. Months later, after Ayrey’s presentation at the ShmooCon conference, Google awarded him a $1,337 bounty, acknowledging the potential threat.
No technical fix has been established by Google as of yet. Their solution centers on startup founders thoroughly closing all cloud services when closing their businesses.
The discovery brought to light by Ayrey underlines an often overlooked aspect of cybersecurity. It is a clarion call to struggling startup founders and decision-makers. Getting your ducks in a row during the company’s closure includes ensuring that all digital accounts are properly shut down.
Original source: Read the full article on TechCrunch
