We just published another blog related to application risk from OAuth applications: Who Do You Trust? Challenges with OAuth Application Identity . This follows up on several other recent blogs related to OAuth:
- Who Do You Trust? OAuth Client Application Trends
- New Phishing Attacks Exploiting OAuth Authorization Flows (Part 1)
In this blog, we discuss some of the challenges that aren't addressed by the OAuth protocol, specifically the challenges in identifying an OAuth application that a user is trusting with access to data or other resources.
The scenario is: A user or administrator or an organization is prompted whether to trust an application -- you see an application title (created by the developer) -- is it real or is it fake?
Unlike the more-established field of malware that utilize DNS, we have nothing akin to DNS registrars, passive DNS databases, certificate authorities, so it makes the task of identification and attribution much more difficult. The OAuth vendors such as Microsoft or Google do not make available the information about OAuth application developers (such as verification status, URL, contact information, the unique client id) to security vendors to help customers defend. Customers/end-users sometimes see a verification status but it's very confusing and ultimately, not the way to solve the problem.
We believe at Netskope, that attacks that abuse OAuth will increase greatly in the coming year.
Let us know if this is top-of-mind for you (through your account team), and we'd appreciate having more in-depth conversations with our Research and Product teams on how we can prepare and defend against these attacks better.