top of page

Best Practices for Investigating and Prioritizing OAuth Grants

When it comes to online access and account creation, it seems like a sheer wizardry from the user's end, thanks to OAuth (Open Authorization). With a few simple click-through actions, you hold the keys to new apps or integrated platforms. However, the simplicity of this process often overshadows the gravity of the permissions we authorize during the creation of new OAuth grants. Unbeknownst to many, this paves the way for hackers to trick employees into relinquishing unauthorized access to corporate systems.

An infamous instance of this was the attacks against the Democratic National Convention where Pawn Storm used OAuth to victimize individuals via social engineering. For this reason, IT security teams must prioritize setting up a regular review of new and existing OAuth grants systematically to detect risk-infused activities or disproportionately permissive scopes. This task might sound daunting, but emerging SaaS security solutions make it more manageable.

Different organizations adopt varying approaches in reviewing OAuth grants. A fair share of companies perform real-time reviews of new OAuth grants each time a user signs up for a new application or connects an integration. A more effective measure is to set up your Google or Microsoft settings to ask for administrative approval before any new grant activation, providing the team with additional time to spot and deal with suspicious activities.

Even after the installation of an OAuth grant, your vigilance should not waver. It's indispensable to periodically review these grants, looking out for unusual activities or significant changes. Security and IT teams should conduct monthly or quarterly audits on existing OAuth grants, scanning for changes and pruning inactive grants accordingly.

OAuth authentication functions by assigning access tokens to third-party apps, acting as a proxy for user consent. The scope of permissions provided under these grants can be vast. The review process can be prioritized by evaluating the scope of access each grant provides.

When prioritizing investigations, it's advisable to dedicate more attention to the grants with potentially risky access scopes, such as access to personally identifiable information (PII), intellectual property, or application modifications. There are helpful tools available that can compile an inventory of all OAuth grants, including the scope and risk grades associated with each, simplifying this process.

Establish the credibility of the vendor issuing the OAuth grant. Examine their security page, their security certifications, and verify if their security program adheres to the best practices. The verification systems set by Microsoft and Google for app publishers' identity can give you more confidence. Still, one must remember that these signals are supplementary indicators and not a definitive measure of trustworthiness given the recent instances of verified status exploitation.

The popularity of specific grants within your workforce and even outside your organization can serve as further trust indicators but beware of fraudulent domains and questionable email addresses that are often used to trick users.

Monitoring how a vendor accesses your environment can help you spot sudden changes and detect suspicious activity. However, some of this will hinge on your level of service subscription. Look out for high-profile supply chain attacks that may have affected OAuth vendors and know the potential compromises involved. Likewise, analyze the impact of major vulnerabilities on vendors and acknowledge vulnerabilities within OAuth grants themselves.

At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.


Commenting has been turned off.
bottom of page