We’re now all too familiar with the ubiquitous “Sign in with Google” button we encounter all over the internet. For most of us, it has become the go-to “easy button” for managing the sprawling set of accounts we’ve created. Behind that button is an OAuth grant—a tokenized mechanism for providing any given third-party tool access to information stored in our Google account.
While this makes our digital lives much easier, it’s also a huge headache for security teams to monitor and untangle at scale. First, how do you know the third-party service should be trusted? Not an easy question to answer.
How do you know your employees are making good choices when clicking through those screens? Not easy at all!
It’s good practice to establish a routine of reviewing new and existing OAuth grants programmatically to catch risky activity or overly-permissive scopes.
Here are five key OAuth risk insights you should evaluate when you investigate an OAuth grant, and where you can find the information you need.
Download our free OAuth investigation checklist here. →
1. OAuth scopes and permissions
OAuth grant scopes can provide clear indicators about the potential risk a grant could pose to your organization. Certain scopes can provide threat actors with important access to your environment, making grants with permissive scopes especially important to investigate and monitor.
For example, Russian threat actor Midnight Blizzard abused Microsoft OAuth grants to gain full access to Office 365 Exchange Online mailboxes of Microsoft employees.
To find the scopes associated with a particular app, you can access each app’s OAuth consent screen to review its requested scopes, or you can check API access logs for scope usage.
As a starting point for understanding whether any scopes could be cause for concern or provide exploitable access, you can cross-reference them with lists of the scopes Google considers sensitive or restricted. Note that while you can restrict access to grants with these scopes in the admin panel, Google doesn’t easily identify which apps fall into this category outside of these lists.
And, there are new solutions for SaaS security cropping up that can make this process easier by discovering all apps and OAuth grants continuously and surfacing potential risks.
2. App registration details
Registration details such as the client ID, reply URL, publisher name, and publisher email address can help you catch indications that an app is potentially malicious or even just poorly configured. For example, an app published with a personal email address or a Google group could pose a security risk to your organization, even if the app appears to be legitimate otherwise.
Registration details can also expose indicators that an app’s creator is trying to camouflage a malicious app as a trustworthy one, such as using “leet speak” to make a URL look like a familiar legitimate app at first glance.
To fully evaluate an app’s registration information, you’ll need to seek out multiple sources. For example, you can perform a WHOIS lookup on the reply URL, cross-reference the publisher email domains with official company domains, and use sources like Have I Been Pwned to determine if the email address may have been compromised.
Make sure to consider the domain’s age, reputation, and threat indicators, which can provide evidence of previous misuse or reveal that the domain was created recently.
3. Vendor trust signals
Certain reputational indicators can help you determine whether an app provider is legitimate. For example, Google or Microsoft both have methods of verifying the identity of app publishers. Although this can serve as a trust indicator, it’s important to also consider other factors given that threat actors have taken advantage of verified statuses in previous attacks.
You should also assess the app provider’s security program for additional context.
To find this information on your own, start by verifying whether the app is listed in official marketplaces like Google Workspace Marketplace or Microsoft Azure Marketplace. These listings will also tell you whether or not an app has been verified with the app publisher. Next, look into the vendor’s security page, security certifications, security program, and breach history for additional context.
You can browse this information on Nudge Security’s database of vendor security profiles.
4. App popularity
Popularity can provide another potential trust indicator. If an app has millions of users, or even just an existing foothold within your company, it may help to bolster your confidence in the app.
To assess an app’s popularity, you can check review sites for adoption information outside of your organization. You can also check your own organization’s usage data by checking cloud service dashboards such as Google Admin Console and Microsoft Azure AD.
Detect, investigate, and revoke high-risk OAuth grants with Nudge Security.
Nudge Security helps you manage OAuth risks at scale by discovering and categorizing all SaaS accounts ever introduced by anyone in your organization along with the OAuth grants that connect them.
For each grant discovered, Nudge Security assigns an OAuth risk score, and provides insight into the risk factors covered above so you can quickly identify and prioritize areas for deeper investigation. And, OAuth grants can be revoked directly from Nudge Security to swiftly mitigate risks.
Start a free trial to learn more, and see your own organization’s OAuth risks.
Sponsored and written by Nudge Security.