Security Audit Reveals 2M+ GitHub Repositories Vulnerable to Google OAuth Email-Based Identity Fracture
Key Takeaways
- ▸Over 2 million scanned repositories contain OAuth implementations vulnerable to Gmail rename attacks, with popular frameworks like Passport.js accounting for ~60% of affected projects
- ▸Critical implementations store only email as identity key with no fallback, causing immediate data loss and user account fracture when Google accounts are renamed
- ▸The vulnerability stems from developer education and documentation patterns that normalized using email as identity key rather than the stable OAuth `sub` identifier
Summary
A comprehensive security analysis scanning over 2 million GitHub repositories has identified a widespread vulnerability in OAuth implementations across popular frameworks and platforms. The vulnerability stems from developers using Google's email field as the primary identity key instead of the stable sub (subject) identifier, creating a critical security gap: when users rename their Gmail addresses, systems lose track of their identity, causing data loss and access revocation across dashboards, chat histories, CI/CD permissions, and cloud infrastructure. The issue affects major projects including GitLab's self-hosted version, open-source ChatGPT alternatives, analytics platforms, device management tools, and educational software. The research categorizes vulnerability severity into four levels—Critical (email as only key), High (email as fallback), Medium (stale display data), and Safe (sub as primary)—and found that popular scaffolding templates have silently propagated this anti-pattern into hundreds of production applications. Cal.com emerged as a correct implementation model, using token.sub as the primary identity key with email reserved for non-critical functions like rate limiting.
- Cal.com demonstrates the secure pattern: using
token.subas primary identity key while relegating email to secondary, non-critical functions - High-stakes applications including GitLab, device management tools, payment platforms, and cloud infrastructure face audit trail breaks and access revocation when users rename Gmail accounts
Editorial Opinion
This discovery exposes a systemic failure in OAuth developer education across major frameworks and platforms. The irony is that Google's own documentation warns against this exact anti-pattern, yet it remains the de facto standard taught in tutorials and Stack Overflow answers. The scale—affecting 2M+ repositories—suggests this isn't merely a best-practices gap but a fundamental misunderstanding of OAuth identity semantics that has been baked into production systems for years. Until frameworks make
sub-based identity the default and email a cosmetic field, users will continue experiencing data loss from seemingly minor account changes.
