[chasemiller]

Yes, it's a failure on DankStartup's part.

Not really much different than a user buying dankstartup.net, setting up a catch-all email, observing what comes in, and performing password resets for those accounts, allowing for account takeovers.

Calling it a vuln in oauth may be a bit hyperbolic, but Google could help prevent it.

[OkGoDoIt]

I have catchall email accounts in every domain name I own (mostly so I can do differentiated emails for every service to track/combat leakage), and you would not believe the amount of emails I get that are intended for previous domain owners (and typos too). I haven’t actually done any reset password flows, but there are a bunch of social media and SaaS accounts I could easily take over if I wanted. I used to try to track down whoever the emails were intended to go to and forward it to them and let them know to change it, but that got to be too tedious so nowadays I just ignore them.

Still, I wouldn’t call this a vulnerability on the service provider’s part, it’s just user negligence.