< ciso
brief />
Tag Banner

All news with #oauth misconfiguration tag

28 articles · page 2 of 2

ConsentFix attack hijacks Microsoft accounts via Azure CLI

🔒 A new variant of the ClickFix social‑engineering technique, called ConsentFix, abuses the Azure CLI OAuth flow to hijack Microsoft accounts without passwords or MFA. Discovered by Push Security, the campaign lures targets via compromised high‑ranking websites and a fake Cloudflare Turnstile CAPTCHA to filter victims. The attack captures an OAuth authorization code returned to a localhost redirect and instructs the user to paste the URL, enabling the attacker to exchange the code for an Azure CLI access token and take control of the account.
read more →

AWS ALB Adds JWT Verification for Service-to-Service Auth

🔐 Amazon Web Services added JWT Verification to the Application Load Balancer (ALB), enabling ALB to validate token signatures, expirations, and claims in request headers. The capability supports OAuth 2.0 flows including Client Credentials, letting teams offload M2M/S2S token validation to the ALB without changing application code. The feature is available in all ALB-supported AWS Regions.
read more →

OAuth Device Code Phishing: Azure vs Google Compared

🔐 Matt Kiely of Huntress examines how the OAuth 2.0 device code flow enables phishing and highlights stark differences between Microsoft and Google. He walks through the device-code attack chain — generating a device code, social-engineering a user to enter it on a legitimate site, and polling the token endpoint to harvest access and refresh tokens. The analysis shows Azure’s implementation lets attackers control client_id and resource parameters to obtain powerful tokens, while Google’s implementation restricts device-code scopes and requires app controls that significantly limit abuse. Practical examples, cURL/Python snippets, and mitigation advice are included for defenders.
read more →

Amazon Cognito Adds Resource Indicators for OAuth 2.0

🔐 Amazon Cognito now accepts resource indicators in OAuth 2.0 access token requests, enabling app clients to request tokens targeted to a specific protected resource rather than a broad service audience. After authenticating the client, Cognito issues an access token with the aud claim set to that resource. This replaces prior workarounds that relied on non‑standard claims or custom scopes and simplifies issuing resource‑specific tokens for agents and other clients. The capability is available to Cognito Managed Login customers on Essentials and Plus tiers in Regions where Cognito is offered, including AWS GovCloud (US).
read more →

ThreatsDay: Widespread Attacks Exploit Trusted Systems

🔒 This ThreatsDay bulletin highlights a series of recent incidents where attackers favored the easiest paths in: tricking users, abusing trusted services, and exploiting stale or misconfigured components. Notable items include a malicious npm package with a post-install backdoor, a CA$176M FINTRAC penalty for missed crypto reporting, session hijacking via MCP (CVE-2025-6515), and OAuth-based persistent backdoors. Practical defenses emphasized are rapid patching, disabling risky install hooks, auditing OAuth apps and advertisers, and hardening agent and deserialization boundaries.
read more →

Dreamforce Highlights Salesforce Amid OAuth Security Storm

🛡️ At Dreamforce, Salesforce emphasized shared responsibility for securing customer environments and introduced new AI agents for security and privacy. The conference largely avoided discussion of recent OAuth-based supply-chain breaches that exposed data from hundreds of companies and led to extensive litigation. Analysts warn the incidents — driven by compromised tokens from third-party apps like Salesloft Drift and spoofed tools such as malicious Data Loader instances — underscore systemic risks as AI integrations demand broader data access. Recommended mitigations include IP whitelisting, DPoP or mTLS, and tighter vendor governance.
read more →

SalesLoft Drift Breaches Expose Fourth-Party OAuth Risk

🔐 The SalesLoft acquisition of Drift exposed a hidden fourth‑party attack surface when legacy OAuth tokens—some dormant for 18 months—were abused to access customer Salesforce instances and a limited number of Google Workspace accounts. Attackers leveraged inherited tokens to enumerate and exfiltrate data, revealing how M&A can transfer persistent permissions outside visibility. The author calls for continuous, behavior‑based monitoring of every OAuth token and API call and recommends practical "OAuth archaeology" to inventory, rotate, or revoke legacy access.
read more →

Zscaler Salesforce Breach Exposes Customer Support Data

⚠️ Zscaler says threat actors accessed its Salesforce instance after a compromise of Salesloft Drift, during which OAuth and refresh tokens were stolen and used to access customer records. Exposed information includes names, business email addresses, job titles, phone numbers, regional details, product licensing and commercial data, and content from certain support cases. Zscaler emphasizes the breach was limited to its Salesforce environment—not its products, services, or infrastructure—and reports no detected misuse so far. The company has revoked Drift integrations, rotated API tokens, tightened customer authentication for support, and is investigating.
read more →