Hacker News

1768 readers

352 users here now

Posts from the RSS Feed of HackerNews.

The feed sometimes contains ads and posts that have been removed by the mod team at HN.

founded 9 months ago

MODERATORS

patrick@lemmy.bestiver.se

rssbot@lemmy.bestiver.se

Millions of Accounts Vulnerable Due to Google's OAuth Flaw (trufflesecurity.com)

submitted 5 months ago by rssbot@lemmy.bestiver.se to c/hackernews@lemmy.bestiver.se

4 comments fedilink hide all child comments

Comments

you are viewing a single comment's thread
view the rest of the comments

[–] naeap@sopuli.xyz 4 points 5 months ago (1 children)

I still can't comprehend how Google used just the mail address or domain for their SSO
I would have expected something like a hash over mail address and password + salt or something, so a new registrar would have a different hash

Just using the date of registration in the hash would have been mitigating this stuff - or do I miss something?

[–] fuzzzerd@programming.dev 1 points 5 months ago (1 children)

Usually the flaw us on the service provider side when using only email address for SSO. Typically the idp will provide a sub claim which is unique to the account and independent of email.

[–] fuzzzerd@programming.dev 1 points 5 months ago

I see the article mentions this sub as having as an unreliable claim value. I can't dispute that experience, but have not observed it personally. Though my experience is on a much smaller system.