All news with #oauth tag

Amazon Cognito Adds Resource Indicators for OAuth 2.0

🔐 Amazon Cognito now accepts resource indicators in OAuth 2.0 access token requests, enabling app clients to request tokens targeted to a specific protected resource rather than a broad service audience. After authenticating the client, Cognito issues an access token with the aud claim set to that resource. This replaces prior workarounds that relied on non‑standard claims or custom scopes and simplifies issuing resource‑specific tokens for agents and other clients. The capability is available to Cognito Managed Login customers on Essentials and Plus tiers in Regions where Cognito is offered, including AWS GovCloud (US).

Audit Microsoft 365 for Hidden Malicious OAuth Applications

🔍 Matt Kiely of Huntress Labs urges Microsoft 365 administrators to audit OAuth applications across their tenants and provides a pragmatic starting tool, Cazadora. The research shows both abused legitimate apps (Traitorware) and bespoke malicious apps (Stealthware) can persist for years and that Azure’s default user-consent model enables these abuses. Operators should check Enterprise Applications and Application Registrations for suspicious names, anomalous reply URLs (notably a localhost loopback with port 7823), and other anomalous attributes, then take remediation steps.

Token Theft Fuels SaaS Breaches — Security Teams Must Act

🔐 Token theft is now a primary vector for SaaS breaches, with stolen OAuth, API keys, and session tokens enabling attackers to bypass MFA and access integrated services. High-profile incidents from 2023 to 2025 show how a single unrotated token can compromise code, secrets, or customer data across platforms. Teams should prioritize discovery, continuous monitoring, and strict token hygiene—rotation, least-privilege scopes, approval workflows, and prompt revocation.

GitHub Account Compromise Led to Salesloft Drift Breach

🔒 Salesloft says the breach tied to its Drift application began after a threat actor compromised its GitHub account. Google-owned Mandiant traced the actor, tracked as UNC6395, accessing the account from March through June 2025 and downloading repository content, adding a guest user and establishing workflows. Attackers then accessed Drift's AWS environment and obtained OAuth tokens used to reach customer data via integrations, prompting Salesloft to isolate Drift infrastructure and take the application offline on September 5, 2025. Salesloft recommends revoking API keys for third-party apps integrated with Drift, and Salesforce has restored most Salesloft integrations while keeping Drift disabled pending further remediation.