Are Microsoft Admins at Risk of Personal Google Spoofing?
Dec 18, 2023 5:30 PM

Are Microsoft Admins at Risk of Personal Google Spoofing?

by HubSite 365 about Merill Fernando

Product Manager @ Microsoft 👉 Sign up to Entra.News my weekly newsletter on all things Microsoft Entra | Creator of &

Pro UserSecurityLearning Selection

Google OAuth Flaw Exposed: Secure Your Microsoft 365 Now!

Key insights

Microsoft administrators need not worry about Google OAuth vulnerabilities when using the plus alias for Google accounts. A recent video reveals that Microsoft tenants remain secure from this loophole, effectively countering potential security risks.

A hands-on demonstration showcases what occurs when a plus email alias account is invited to the Microsoft tenant, illustrating practical implications for admins.

The video features a timeline detailing the discovery and reporting of the vulnerability to Google, including the noteworthy compensation and subsequent actions taken to alert affected applications like Zoom and Slack.

The origin of the vulnerability stems from the unexpected behavior of Microsoft's OAuth system and Google's documentation cautioning against reliance on email claims for identity verification, highlighting potential avenues of exploitation.

Users can create Google accounts with non-Gmail emails, posing a risk when such email addresses belong to corporate domains and enable indefinite access to applications after departing a company.

  • Microsoft 365 admins can rest assured that using plus alias accounts with Google doesn't impact Microsoft tenants.
  • Clear demonstrations show how to test and understand the potential vulnerability within a Microsoft environment.
  • Timeline and compensation details from Google provide context on the issue's severity and response.
  • The background of the issue connects to broader concerns regarding the reliability of email-based identity claims in OAuth protocols.
  • Exploits can occur when users create non-Gmail Google accounts linked to corporate emails, allowing them to bypass organizational controls.

An in-depth look at the issue reveals that it may enable former employees to retain access to corporate applications such as Slack and Zoom, bypassing traditional off-boarding processes. This loophole exists due to the way certain Google accounts created with plus aliases or off-domain emails are treated within organizational settings—they do not show up in administrative views or standard user lists, thus evading detection and control.

In response to this vulnerability, organizations are advised to disable 'Login with Google' and enforce SAML authentication where possible. Service providers, on the other hand, can utilize Google's 'HD' claim to verify organization membership, though it's not foolproof and comes with its own challenges. Google could also implement several global fixes to rectify the situation, such as prohibiting the use of plus signed email accounts or improving administrative controls to counter this misuse.

Lastly, the impact of this vulnerability extends beyond Google itself. The video details a hypothetical scenario where access to a company's old accounts, such as Slack and Zoom, could be gained if their domain is acquired by another party post-acquisition or service suspension, underlining the depth of this security vulnerability.

Ultimately, while some steps can be taken by organizations and service providers to curtail the misuse of Google OAuth, the push for Google to take sweeping action remains a critical part of the discussion. This video serves as a call to action for stricter security measures and better account management to protect valuable corporate assets.

Understanding the Google OAuth Plus Email Alias Vulnerability

The discussed vulnerability revolves around a loophole in the Google OAuth system, where users are able to create Google accounts with a plus email alias from their company's domain. The risk posed by this is that individuals, including former employees, could exploit this to retain unauthorized access to corporate applications such as Slack and Zoom. The malicious accounts do not appear in administrative controls, thus creating a hidden back door that bypasses normal security protocols. Remedies offered include enforcing SAML authentication for organizations, ensuring service providers check Google's 'HD' OAuth claim, and suggesting overarching fixes that Google could implement to reduce such risks. By bringing this issue to light, the original content drives awareness and urges service providers, organizations, and Google itself to take preventative measures against this significant security lapse.

Are Microsoft 365 admins facing a new threat? A YouTube video hosted by Merill Fernando unpacks the Google OAuth vulnerability which, fortunately, does not impact Microsoft users utilizing the plus email alias. This video offers an essential watch for admins to understand the situation.

In the hands-on demonstration, viewers can see what occurs when you invite a plus email alias user to your Microsoft tenant. The video delves deeper into the Google OAuth vulnerability and its potential to allow ex-employees to maintain access to corporate applications like Slack and Zoom indefinitely, even after being removed from a company's official Google accounts.

From the video, we learn that Google has yet to introduce any remedy for this problem. A timeline outlines the events, from the initial report on August 4th to a public disclosure on December 16th. The timeline details Google’s reward for acknowledging the issue and the response timeline from Google and other affected applications.

The video also touches on the backstory of how the vulnerability was discovered by a Forager beta tester during a Descope Microsoft OAuth vulnerability check. It highlights the potential risks of relying on email claims for identity verification. Surprisingly, Google's own OpenID Connect (OIDC) documentation advises against using emails as a primary identity verifier.

True to the video's guidance, users learned that it is possible to create Google accounts with non-Gmail emails, which can lead to potential security risks. One can create a new Google account using an email+anystring@domain format, which is indistinguishable from the original corporate email to many systems and allows continued access even after the original email account is deactivated.

This method could exploit platforms like Zoom and Slack that do not verify if the Google account is a genuine member of the Google organization. As the video demonstrates, these non-Gmail accounts do not appear in the list of accounts an admin can manage, thereby slipping through the security checks.

To address this issue, organizations can disable login with Google or enforce SAML login. Service providers can use other OAuth claims to verify organization membership, yet this also has its limitations. Google, for its part, could block Google accounts from using domains of existing Google organization accounts or ban the creation of accounts with email aliases and plus sign ins.

Significantly, this vulnerability also opens avenues for gaining unauthorized access to other platforms, exploiting weaknesses in support and ticketing systems like Zendesk. The video calls on Google to implement broad changes to fix the security gaps and adhere to their recommended 90-day remediation practice, as the disclosure comes 134 days after Google was informed.

  • Google OAuth vulnerability poses risks to corporate app access
  • Timeline of events from discovery to public disclosure detailed
  • Recommendations for avoidance and mitigation strategies included

Understanding the Google OAuth Vulnerability

The discussed YouTube video underscores a critical concern over the potential misuse of OAuth in disrupting application security. It serves as a cautionary tale, urging Microsoft 365 admins to be vigilant about how seemingly harmless features like email plus aliases can be abused. With implications stretching well beyond a single platform, it highlights a broader security challenge facing software ecosystems and the need for proactive security measures across all levels: individual, organizational, and service providers. Enforcing stricter identity verification processes and access control can significantly reduce the risk of unauthorized access and data breaches that could arise from this type of vulnerability.

Understanding the Google OAuth Vulnerability and Its Implications for Microsoft 365

A recent YouTube video has raised concerns for Microsoft 365 admins. It focuses on a Google OAuth vulnerability related to the use of plus aliases in email addresses. Notably, Microsoft tenants remain secure from this specific issue.

The video presents a hands-on demo showing the creation of a plus email alias account and the subsequent attempt to include such a user within a Microsoft tenant. The implications of this security gap are significant for organizations using certain web applications.

The vulnerability allows former employees to maintain access to applications like Slack and Zoom even after being removed from the company's Google organization. Unfortunately, no mitigations from Google have been reported as of yet.

  • 0:00 - Introduction to the security issue.
  • 0:40 - Explanation of plus alias in personal Google accounts.
  • 01:42 - Demonstration of a spoofed Google account using a plus alias.
  • 02:44 - Attempt at inviting a spoofed account to Microsoft 365.

An alarming Google OAuth flaw has been made public, potentially impacting numerous applications. Despite disclosure to Google and its inclusion in a bounty program, the security risk persists without resolution.

The narrator of the video found out that the reliability of email claims in Microsoft’s OAuth system could be manipulated. This discovery was made while analyzing Google’s claims as part of a beta test for an application named Forager.

It turns out non-Gmail accounts can also be exploited, leading to unauthorized access to corporate applications. Google’s documentation, instead of providing reassurance, actually highlights the risks involved with using email as an identifier.

The problem arises when corporate email aliases and forwarding are used to create Google accounts. Such accounts, created with a plus sign and a string, remain outside the control of corporate Google administrations.

This security flaw continues as these accounts may not be listed in the administrative portal, allowing for continued, unauthorized access to third-party services like Zoom and Slack through Google-based OAuth claims.

To address this issue, organizations, service providers like Zoom and Slack, and Google must take decisive actions. For example, organizations could disable login with Google altogether or enforce stricter authentication protocols.

Service providers can check for organizational membership claims or opt for more secure account provisioning methods. As for Google, banning accounts that mimic corporate domains or improving administrative controls could be part of the solution.

Unfortunately, this security lapse also opens the door to further exploits, such as accessing organizational tools without prior access, through methods such as support ticket-based account creation.

In the final analysis, the video calls for Google to take responsibility and enforce significant remediations. The current state presents a serious security risk with former employees retaining access to platforms due to Google OAuth system loopholes.

Further Insights into Security Vulnerabilities and Best Practices

Security vulnerabilities like the one in Google's OAuth system highlighted in the discussed YouTube video underscore the critical need for effective digital security measures. As technology continues to evolve, so do the tactics of those looking to exploit system weaknesses. It is crucial for organizations to regularly update their security protocols, educate employees on safe practices, and stay informed about potential risks. By doing so, they can help safeguard sensitive information and protect against unauthorized access to their systems.

Security - Are Microsoft Admins at Risk of Personal Google Spoofing?


personal Google accounts, email spoofing, Microsoft admins, company email security, phishing protection, email impersonation, cybersecurity threats, business email compromise, Microsoft 365 security, IT administrator concerns