As the digital world moves more and more toward third party applications, the security risks associated with the use of OAuth tokens are being more closely examined. Gal Nakash, the Chief Product Officer and Co-founder of Reco, emphasizes the importance of evaluating how these tokens are managed. Yet organizations open themselves to dangerous security threats when these third-party integrations are allowed overly permissive permissions. Moreover, these valid tokens can last for long durations, adding to the risk.
OAuth is designed to streamline authorization processes. It shows how far behind its security protocols are. Tokens issued to third-party applications can remain valid for months or years. They usually don’t have an explicit expiration, short of the administrator revoking them. Connected apps are often allowed to access sensitive data with no meaningful user interaction. This turns a blind eye to terrifying data privacy and security violations.
The potential for misuse is alarming. A single compromised token can map an organization’s entire security blind spot. This was dramatically highlighted in the recent Salesforce/Microsoft breaches where companies were breached because of stolen OAuth tokens. The CircleCI security incident that occurred when malware seized a session token. This case caused a serious breach of their system, exposing strategic areas.
The Flaws in Current Verification Practices
Of all the reasons OAuth fails, the most egregious defect in OAuth is how it verifies authorizations. The problem starts back at the first authorization screen, which checks permissions and identity just one time—a huge vulnerability where real-time security checks should be made. As a result, the “verify” portion of the security paradigm “never trust, always verify” tends to end on day one of the token’s launch. This narrow focus over-optimizes for permissions and identity at a single instant in time, creating the possibility for stale access controls to endure.
Additionally, most integrations end up requesting far more permissions than they actually need. This mode of operation can create a dangerous build-up of access privileges that could be leveraged by bad actors. As Nakash points out, organizations must ask themselves, “Does this behavior make sense for this identity?” This question is instrumental to developing a more rigorous approach to tasking permissions. It gives us peace of mind that we are only providing access to what is strictly necessary.
When the automation of those centralized processes is applied, these vulnerabilities are even more magnified. Because automations usually run with little human oversight, this can result in unmonitored actions being performed using compromised tokens. Without such checks and balances established, organizations open themselves up to potentially harmful activities to happen unchecked.
Notable Breaches Highlighting the Risks
As shown by high-profile breaches over the last few years, there’s an immediate need for organizations to enhance their OAuth token management practices. In a recent case of this type through Slack, attackers were able to steal company employee tokens which gave them access to the company’s internal code repositories. These breaches pose a risk to sensitive information. They erode stakeholder confidence in the organization’s ability to safeguard sensitive data.
Just like in the Salesloft/Drift breach, what attackers did was exploit stolen OAuth tokens associated with its still active integration with Salesforce. These events demonstrate that OAuth tokens can become “skeleton keys.” If mismanaged, they can open the doors wide to troves of highly sensitive data.
As organizations increasingly rely on interconnected applications to streamline operations, they must contend with the complexities of maintaining robust security practices. It is imperative that companies adopt more stringent public oversight mechanisms for token use, including a cancellation policy. The increasing shift to third-party apps definitely requires it.
A Call for Proactive Security Measures
Considering the potential impacts from misuse of OAuth tokens, experts are calling for a more preventative way to defend privileged access. It is a best practice for organizations to routinely audit permissions they’ve granted to third-party applications and triage them based on the organization’s ongoing operational needs. This is an area where implementing a system for timely revocation of tokens could address some risks that come with long-term validity.
Partner organizations should remain focused on not just upfront verification of who and what token users are, but ongoing verification of token usage and access rights. By setting up regular audits and using cutting-edge monitoring technologies, they aren’t just more prepared for a possible breach, they’re equipped to prevent them.