### The Dangers of Failing to Properly Wind Down a Google Apps Domain
In the dynamic environment of startups, where flexibility and innovation are paramount, it’s easy to neglect the critical steps involved in winding down operations when a business doesn’t succeed. A recent report from Dylan Ayrey of Truffle Security Co. sheds light on a significant lapse that could leave sensitive data exposed and jeopardize security: the inadequate winding down of a Google Apps domain. This often-overlooked issue has extensive consequences for startups, their staff, and the third-party platforms they depend on.
—
### The Issue: Zombie Google Accounts
Google Workspace, previously known as G Suite, is a widely-used productivity platform among startups for email, document sharing, and other administrative tasks. Many startups also utilize Google’s OAuth service, enabling users to log into third-party applications such as Slack, Zoom, and HR systems using their Google accounts. This integration enhances productivity—until the startup collapses, the domain becomes inactive, and the associated Google accounts are not properly decommissioned.
According to Ayrey’s research, when a domain tied to Google Workspace changes ownership, the new proprietor could potentially reinstate the Google accounts of employees from the prior domain. This reactivation provides access to external services that employed Google OAuth for login. Ayrey illustrated this by acquiring a defunct startup domain, thereby accessing sensitive data, such as tax documents, job interview information, and private communications.
—
### The Magnitude of the Problem
The statistics present a troubling scenario:
– **6 million individuals** are employed by tech startups across the U.S.
– **90% of startups do not succeed**, often suddenly.
– **50% of startups** utilize Google Workspace, as estimated by Ayrey.
Considering these figures, there are likely thousands of Google-auth-connected domains available for purchase at any point in time. The issue isn’t merely hypothetical; it poses a significant risk to data security.
—
### The Cause: Absence of Proper Shutdown Protocols
When a business utilizing Google Workspace ceases operations, merely canceling the subscription is insufficient. Google’s own guidelines indicate that terminating a Workspace subscription “doesn’t eliminate user accounts.” These accounts remain active until the organization’s Google account is explicitly removed. Skipping this step means the domain stays connected to the Google accounts, which creates a security vulnerability.
Google has provided [guidance](https://support.google.com/a/answer/1257646?sjid=344813928108938010-NC#zippy=%2Ccancel-a-domain-verified-subscription) for correctly closing down domains, yet these recommendations are frequently ignored in the turmoil during a startup’s closure. The consequence? A wealth of sensitive information becomes accessible to anyone who acquires the lapsed domain.
—
### The Exploitation Route
Ayrey’s investigation uncovered a simple pathway for exploitation:
1. **Acquire an expired domain** that was previously associated with a Google Workspace account.
2. **Reactivate the Google accounts** linked to that domain.
3. Access third-party services through these accounts using Google OAuth.
This approach does not allow access to data saved directly in the reactivated Google accounts but does enable entry to third-party platforms that used these accounts for authentication. During Ayrey’s experimentation, this included services like Slack, ChatGPT, and HR applications, all of which contained sensitive information.
—
### Google’s Reaction: “Won’t Fix (Intended Behavior)”
When Ayrey revealed his findings to Google in late 2024, the company initially categorized the issue as “Won’t Fix (Intended Behavior).” Google contended that the likelihood of exploitation was minimal and attributed the issue to customers not adhering to best practices for domain shutdown. However, following the exposure of Ayrey’s findings, Google re-evaluated the matter, issued him a $1,337 bug bounty, and recognized the significant impact of the vulnerability.
Google advises that third-party applications should employ a distinct, immutable identifier known as “sub” for user verification. Nonetheless, Ayrey’s research indicates that this identifier is not consistently applied, leaving numerous services at risk of domain-takeover vulnerabilities.
—
### Suggested Solutions
Ayrey has proposed a solution to tackle the issue: Google should incorporate two new immutable identifiers within its OpenID Connect claims—one associated with the user and another with the domain. These identifiers would guarantee that reactivated accounts cannot access third-party services. As of January 2025, Google has yet to announce any plans for implementing this solution.
—
### Insights for Startups and Organizations
The primary lesson from Ayrey’s research is unmistakable: winding down a company entails more than simply canceling subscriptions and liquidating assets. Organizations must undertake the following measures to safeguard their data and prevent unauthorized entry:
1. **Delete Google Workspace accounts** prior to canceling the subscription.
2. **Disconnect OAuth connections** to third-party applications.
3. **Adhere to Google’s domain shutdown protocols** to ensure no lingering vulnerabilities.
For developers of third-party applications, the findings emphasize the importance
