OAuth Tokens: The Security Back Door Many Organizations Still Fail to Control

13 hours ago
3 min read

Over the past several years, organizations have invested heavily in defensive layers such as multi-factor authentication (MFA), endpoint protection, and zero trust frameworks. Yet another blind spot is increasingly being exploited by attackers while remaining under-addressed by many security teams: OAuth tokens and third-party application access.

According to recent cybersecurity research, OAuth has become one of the most effective attack paths for threat actors seeking to bypass traditional authentication controls and gain direct access to enterprise SaaS environments.

Nhiều doanh nghiệp vẫn chưa kiểm soát được lỗ hổng OAuth Token — *Many Organizations Still Fail to Control OAuth Token Vulnerabilities - Source: The Hackers News*

Why OAuth Has Become a Prime Target for Attackers

OAuth was designed to allow users to grant third-party applications access to data and services without sharing passwords.

This model improves usability and enables rapid integrations across platforms such as:

Microsoft 365
Google Workspace
Salesforce
Slack
AI tools and automation platforms

However, when OAuth tokens or refresh tokens are stolen, attackers can use them as valid credentials, allowing them to:

Access systems directly
Bypass MFA
Evade many login anomaly detection mechanisms
Maintain persistence for extended periods

In other words, rather than “breaking in,” attackers are increasingly walking through the front door with legitimate keys.

The Drift Incident Demonstrates the Real-World Risk of OAuth Compromise

A clear example of this threat emerged in the security incident involving Drift, now part of Salesloft.

According to reports, threat group UNC6395 stole OAuth refresh tokens associated with Drift and used them to access more than 700 customer Salesforce environments.

Because those tokens had been legitimately granted to Drift, the attack bypassed:

MFA protections
Login anomaly detection
Multiple traditional identity security controls

Once inside, the attackers expanded their access by:

Extracting enterprise data
Harvesting internal credentials
Stealing AWS access keys
Collecting Snowflake tokens
Pivoting into additional enterprise systems

CISOs Know OAuth Is a Problem - Most Still Aren’t Solving It

While awareness of OAuth-related risk has increased significantly, many organizations still lack the operational capability to manage it effectively.

nghiên cứu từ Material Security — *Source: The Hacker News*

A substantial portion of organizations (45%) currently have no mechanisms in place to monitor OAuth grants at scale across their environments.

Among the remaining organizations, many (33%) still rely on manual processes - tracking grants in spreadsheets, reviewing access permissions on an ad hoc basis, or depending on employees to report unusual application behavior when detected.

*Spreadsheets are not a threat response capability. They merely reflect the level of risk an organization is exposed to but has not yet fully recognized - Source: The Hacker News*

So, research from Material Security shows:

80% of security leaders consider unmanaged OAuth grants a critical or significant risk
45% of organizations do not monitor OAuth grants at enterprise scale
33% rely on manual processes, including spreadsheets and ad hoc permission reviews

Awareness Exists - Operational Capability Does Not

The data highlights a widening gap between understanding the problem and being equipped to address it.

Spreadsheets are not a threat response capability - they are merely a record of exposure an organization does not fully understand.

Why One-Time OAuth Approval Reviews Are No Longer Enough

Many organizations still evaluate OAuth-connected applications only at the time of installation by asking questions such as:

What scopes does the app request?
Is the vendor trustworthy?
Are the permissions excessive?

But this approach overlooks a critical reality:

An application that is legitimate today can become a security risk tomorrow if that vendor or application is compromised.

That is precisely what happened in the Drift incident. The application itself was not malicious when approved - but its credentials were later stolen and weaponized by attackers.

How Organizations Should Respond to OAuth Risk

To secure modern SaaS environments, organizations must move beyond an approve-and-forget model and adopt continuous monitoring.

1. Continuously Monitor OAuth-Connected App Behavior

Track indicators such as:

Unusual API call volume
Abnormal data access patterns
Activity outside normal operating hours
Queries targeting sensitive datasets

2. Assess Blast Radius Based on Privilege Level

Not all OAuth grants carry equal risk.

For example:

A token linked to a standard employee account may present limited impact
A token tied to an admin, executive, or privileged account presents significantly higher risk

3. Automate Risk-Based Response Workflows

Organizations should implement playbooks to:

Immediately revoke clearly malicious applications
Escalate suspicious trusted-app behavior for review
Alert SOC teams based on risk prioritization

Conclusion

As SaaS adoption, AI tools, and third-party integrations continue to grow, OAuth tokens are becoming an unavoidable part of the modern enterprise environment.

But without the ability to monitor, assess, and control the lifecycle of those tokens, organizations may be unknowingly leaving behind a legitimate back door for attackers inside their own infrastructure.

OAuth is no longer merely an identity management issue - it has become a strategic attack surface in modern enterprise cybersecurity.

----

Source: Based on reporting from The Hacker News / Material Security