Attackers exploit a Google OAuth flaw, recycling domains to access SaaS accounts and sensitive HR data.

New research has pulled back the curtain on a “deficiency” in Google’s “Sign in with Google” authentication flow that exploits a quirk in domain ownership to gain access to sensitive data.