Comment by horsawlarway
4 days ago
Yeah, this is the part I'm struggling with. This is absolutely not unique to google oauth, it genuinely seems like a misunderstanding of how the web manages trust.
If you own the domain, you own all the property associated with the domain, including all the old email addresses. Magic links and password resets are all going to give the new owner access.
Your best bet as a solution is to be using strict 2fa (ex - a yubikey might help here) but even that is likely just "a conversation with support" away from being circumvented.
This is why winding down a company is supposed to have specific stages and policies associated with the dissolution. You don't just abandon the offices and leave all the filing cabinets behind either, for similar reasons...
I don't think the claim is that Google has introduced a totally novel vuln, just that they are a stable, trusted middleman who is failing to mitigate a common vuln where they can.
You don't abandon filing cabinets, but given that some percentage of startup failures are sudden and surprising and the people who could do something are unmotivated / unable to, it's not a best practice for a commercial landlord to put abandoned files on the street with a sign "free", files and all. Maybe they have a legal right to, but it's not how I would operate in that situation.
It seems to be at the registry level. But registries do show changes in owner [implicitly at least].
Maybe there needs to be a way to do some signalling/lookup when domains changes hands.
Sounds like a job for a blockchain, lol.
> Magic links and password resets are all going to give the new owner access.
Which is why you should never exclusively rely on either for sensitive services.
It's better than SMS based password recovery or "call support to reset your password". What do you suggest is the best approach.