OAuth Phishing - Apps Used for Phishing


(Warren White M.S. Cybersecurity) #1

I recently came across a recent article that goes into how apps that we all use can be potentially used for phishing. Thinking about how many apps I have on my phone and not being aware if they are collecting my data can be worrisome. OAuth Phishing which is not easily detected, fixed, and easily used by hackers should be something we all need to be aware of. This is an exploit for Open Authorization which is used by many online providers like Google, Yahoo, and Microsoft to name a few. Though they try and stop the exploits it doesn’t mean that it is fixed because the vulnerability is still there to be exploited in other ways.

OAuth Phishing can go through employee email accounts and take them over. It can spread to other accounts like banking, accounting, cloud storage, etc. It can pass two-factor authentication even if passwords are reset. It typically comes from an email that will redirect you to an actual site, such as Facebook, and will ask for you to grant permissions to the malicious app. This is how passwords wouldn’t be necessary for the app to gain access to the accounts.

OAuth is how users over the Internet add third-party apps to online services like that of Google, Twitter, Facebook without the use of a password. The OAuth token is created and the user agrees to bypass a password and allows the app other permissions, even administrative rights. This allows the OAuth token to access parts of a user’s account to everything. If the user agrees for an app to have permission to gain access to other app accounts the results could be devastating. I know many people who are not allowing certain apps on their phone because they want permission to access a lot of data on their phone. This is something to really keep in mind. Hope you all found this informative! The link to the article is pasted below.


(Ron D) #2

Google just recently released an update to GSuite to help tackle this problem. While it doesn’t help with other identity providers, it at least gives you some control over your Google business accounts.

Manage access to third-party apps with new G Suite security controls


(Warren White M.S. Cybersecurity) #3

Hey Ron,

That’s awesome to know thanks for the update! Google is usually good for making their security tight with the occasional hiccups like most companies.