New research has pulled back the curtain on a « deficiency » in Google’s « Sign in with Google » authentication flow that exploits a quirk in domain ownership to gain access to sensitive data.
« Google’s OAuth login doesn’t protect against someone purchasing a failed startup’s domain and using it to re-create email accounts for former employees, » Truffle Security co-founder and CEO Dylan Ayrey said
