efrowning
|
1 year ago
|
on: Google’s OAuth login doesn’t protect against purchasing a failed startup domain
Right? I wish this data was provided by the registrars! I want to know when a domain has lapsed to protect users with existing accounts from that domain on my services. RDAP is new enough that I'm hoping registrars start using it to spec, but I'm not holding my breath right now.
efrowning
|
1 year ago
|
on: Google’s OAuth login doesn’t protect against purchasing a failed startup domain
Are your users primarily using gmail accounts or are they using accounts from custom domains? TFA does't say exactly, but I wonder if this stat only applies to users with custom domains rather than @gmail accounts.
efrowning
|
1 year ago
|
on: Google’s OAuth login doesn’t protect against purchasing a failed startup domain
How would the clients tell if the account has a valid sub change or not if the only piece of information provided is that the sub claim changes? For this particular attack, without having some kind of Google Workspace account identifier for the domain, the sub claim doesn't sound sufficient to validate that it's the same Google account from the client's side. I'm guessing the engineer at the major tech company didn't provide that stat without checking if those users were valid, active accounts.
efrowning
|
1 year ago
|
on: Google’s OAuth login doesn’t protect against purchasing a failed startup domain
Sadly, this isn't fool-proof. Domains can go up for auction or backorder on a registrar, and they won't update the registration date if the domain is purchased this way since the registrar can consider this a transfer. It's a signal, for sure, but it will miss cases. It will also miss transfers sometimes, depending on the registrar.
