OAuth apps are being exploited to launch cyberattacks

News
By published

Cybercriminals are targeting OAuth apps to compromise cloud accounts

Zero-day attack
(Image credit: Shutterstock) (Image credit: Shutterstock.com)

Cybercriminals are increasingly abusing OAuth apps to launch attacks against enterprise businesses according to new research from Proofpoint.

For those unfamiliar, an OAuth app is an application that integrates with a cloud computing service and may be provided by a different vendor other than the cloud service provider. These apps can be used to add business features as well as user-interface enhancements to cloud services such as Microsoft 365 or Google Workspace.

In order for OAuth apps to work with cloud services, most of them request permission to access and manage user information and data as well as sign into other cloud apps on a user's behalf. OAuth works over HTTPS and uses access tokens as opposed to a login credentials to authorize devices, APIs, servers and applications.

However, given the broad permissions these apps can have to an organization's core cloud applications, they have become a growing attack surface and vector. Cybercriminals use a variety of methods to abuse OAuth apps including compromising app certificates which was used in the recent SolarWinds hack.

OAuth abuse

As OAuth apps can be easily exploited, attackers can use OAuth access to compromise and takeover users' cloud accounts. To make matters worse, an attacker can still access a user's accounts and data until an OAuth token is explicitly revoked.

Malicious applications or cloud malware use a number of tricks such as OAuth token phishing and app impersonation to manipulate account owners into consent. In 2020 alone, Proofpoint discovered more than 180 malicious applications and a majority of them were found to be attacking multiple tenants. 

Bad coding or design is often responsible for making applications vulnerable to hostile takeover and in these cases an attacker will compromise the app's assets or mechanisms instead of interacting with the target accounts themselves. One recent example occurred back in March of last year when it was discovered that sharing a GIF in Microsoft Teams could possibly result in an account takeover.

In a study of 2020 data, Proofpoint observed that 95 percent of organizations were targeted and 52 percent of organizations had at least one compromised account.

In order to avoid OAuth app abuse, the firm recommends that organizations actively govern OAuth apps, avoid storing plain text secrets and code signing keys, manage roles more carefully and look out for anomalies.

TOPICS
Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Best email services: image of email with one unread message alert
Over 400 million unwanted and malicious emails were received by businesses in 2024
API
Businesses are being plagued by API security risks - with nearly 99% affected
Shadowed hands on a digital background reaching for a login prompt.
A flaw in Google OAuth system is exposing millions of users via abandoned accounts
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft authentication system spoofed via phishing attack
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Latest in Security
Lock on Laptop Screen
Data breach at Pennsylvania education union potentially exposes 500,000 victims
An American flag flying outside the US Capitol building against a blue sky
Five Eyes "cannot replace US intel in Ukraine", claims former US Cyber Command Chief
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Criminals are using a virtual hard disk image file to host and distribute dangerous malware
WordPress on a laptop
Over 20,000 WordPress sites hit by damaging malware campaign
Trojan
WhatsApp patches security flaw which let hackers install spyware
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedly left users exposed for months
Latest in News
Quordle on a smartphone held in a hand
Quordle hints and answers for Friday, March 21 (game #1152)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Friday, March 21 (game #383)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Friday, March 21 (game #649)
The ASSC Assassin's Creed collection.
The Assassin's Creed x Anti Social Social Club drop includes gaming merch that I wouldn't be embarrassed to wear
Lock on Laptop Screen
Data breach at Pennsylvania education union potentially exposes 500,000 victims
Boston Dynamics all electric Altas
This robot can do a cartwheel better than me and now I'm freaking out – but in a good way
More about security
Lock on Laptop Screen

Data breach at Pennsylvania education union potentially exposes 500,000 victims
Trojan

WhatsApp patches security flaw which let hackers install spyware
The ASSC Assassin's Creed collection.

The Assassin's Creed x Anti Social Social Club drop includes gaming merch that I wouldn't be embarrassed to wear
See more latest
Most Popular
The ASSC Assassin's Creed collection.
The Assassin's Creed x Anti Social Social Club drop includes gaming merch that I wouldn't be embarrassed to wear
Quordle on a smartphone held in a hand
Quordle hints and answers for Friday, March 21 (game #1152)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Friday, March 21 (game #383)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Friday, March 21 (game #649)
Living room with Microsoft Xbox Series X (L) and Sony PlayStation 5 home video game consoles alongside a television and soundbar, taken on November 3, 2020.
The PS5 is currently selling faster than the PS4 did in the US, but I'm surprised to discover that the Xbox Series X and S are trailing behind Xbox One
Lock on Laptop Screen
Data breach at Pennsylvania education union potentially exposes 500,000 victims
Samsung Galaxy Tab S9 FE Plus on a desk showing the rear of the device from above
The Samsung Galaxy Tab S10 FE could be a powerful iPad Air rival, based on the latest specs rumors
Trojan
WhatsApp patches security flaw which let hackers install spyware
God of War 20th anniversary vinyl box set.
The God of War 20th anniversary vinyl box set features 13 discs and 150 remastered songs
Boston Dynamics all electric Altas
This robot can do a cartwheel better than me and now I'm freaking out – but in a good way