OAuth apps are being exploited to launch cyberattacks

Cybercriminals are targeting OAuth apps to compromise cloud accounts

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybercriminals are increasingly abusing OAuth apps to launch attacks against enterprise businesses according tonew researchfromProofpoint.

For those unfamiliar, anOAuth appis an application that integrates with acloud computingservice and may be provided by a different vendor other than the cloud service provider. These apps can be used to add business features as well as user-interface enhancements to cloud services such asMicrosoft 365orGoogle Workspace.

In order for OAuth apps to work with cloud services, most of them request permission to access and manage user information and data as well as sign into other cloud apps on a user’s behalf. OAuth works over HTTPS and uses access tokens as opposed to a login credentials to authorize devices, APIs, servers and applications.

However, given the broad permissions these apps can have to an organization’s core cloud applications, they have become a growing attack surface and vector. Cybercriminals use a variety of methods to abuse OAuth apps including compromising app certificates which was used in the recentSolarWinds hack.

OAuth abuse

As OAuth apps can be easily exploited, attackers can use OAuth access to compromise and takeover users' cloud accounts. To make matters worse, an attacker can still access a user’s accounts and data until an OAuth token is explicitly revoked.

Malicious applications orcloud malwareuse a number of tricks such as OAuth token phishing and app impersonation to manipulate account owners into consent. In 2020 alone, Proofpoint discovered more than 180 malicious applications and a majority of them were found to be attacking multiple tenants.

Bad coding or design is often responsible for making applications vulnerable to hostile takeover and in these cases an attacker will compromise the app’s assets or mechanisms instead of interacting with the target accounts themselves. One recent example occurred back in March of last year when it was discovered thatsharing a GIFinMicrosoft Teamscould possibly result in an account takeover.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

In a study of 2020 data, Proofpoint observed that 95 percent of organizations were targeted and 52 percent of organizations had at least one compromised account.

In order to avoid OAuth app abuse, the firm recommends that organizations actively govern OAuth apps, avoid storing plain text secrets and code signing keys, manage roles more carefully and look out for anomalies.

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

Should your VPN always be on?

3 reasons why PIA fell in our best VPN rankings

Arcane season 2 finally gave us the huge Caitlyn and Vi moment we’ve been waiting for – and its creators say ‘we couldn’t have done it in season one’