Hail relies on OIDC email claims to verify the validity of a user's domain.
All Hail Batch clusters are affected. An attacker is able to: Create one or more accounts with Hail Batch without corresponding real accounts in the organization. For example, a user could create a Microsoft or Google account and then change their email to "inconspicuous@example.org". This Microsoft or Google account can then be used to create a Hail Batch account in Hail Batch clusters whose organization domain is "example.org". In Google, …