Keep up to date with the experts

Get insights direct to your email inbox

Subscription Form exit intent popup

Follow us on social

“We needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.”

IT Operations Manager

Simon Darley

Trusted by industry leaders

Request a Quote.

First we need a few details.

Contact Form Primary popup

By continuing, you agree to our Terms & Privacy Policy

Expert Intel

What is Open Authorisation Exploitation?

Expert: Cam C
Role: SIEM Engineer
Specialises in: Managed Security
What you will learn:
In this recent piece of expert intel Cam, explores how easily oauth exploitation can impact the everyday user and why MFA isn't the magic bullet we're all looking for.
OAuth is an authorization protocol, rather than an authentication protocol.

We are all familiar with the old “I’ve got a Mac book – viruses and hackers can’t get me!” myth, because it is “oh-so-true” that if you’re running anything Apple, security doesn’t apply to you… What’s that? GDPR? ISO 27001? … I have a Mac! 

Unfortunately, yet another myth seems to be catching on. MFA. Why oh why we don’t learn from history, and then wonder why history ends up repeating itself? There is no silver bullet to protecting ourselves. Yes, there are heavy precautions we can take to decrease risk and mitigate impact, but this does not remove risk entirely.

Multi-Factor Authentication is undoubtedly a great tool. I like it because I can get away with smaller passwords and tap a push notification and I’m in! Much nicer than forcing a 15+ character password that I’m going to forget when the session expires. 

I don’t know what everyone else’s experience is, but recently I’ve been seeing a growing assumption that ‘x account is safe because MFA is enabled’… 

We teach ‘don’t click links in emails’, but the same should be taught for browsing the clear web. Even from the most reputable advertising companies, social media sites deliver bad websites from time to time. Whether it’s a credential harvesting, a scam site or straight up malware it’s happened before and will happen again. 

Now what I wanted to bring up was the issues surrounding ‘redirect_uri’ session poisoning. This effectively exploits the redirect_uri parameter handled in an oauth (open authorisation) request and leaks a token back to malicious actors who have specified an arbitrary client using various crafted URLs; some of which make use of URL shim bypass vulnerabilities and could theoretically bypass phishing protections such as safelinks.

The saddest of all is that, if the actors are able to craft the link extensively and could evade detection, they could steal the token from the users active session, and this would be invisible to the end user. 

I like to compare this to a gated kingdom – your MFA is a double-gate, but if you’ve got an unwatched tunnel underneath your guarded double gate – what would be the point of that double gate?

So, I created an oauth troll with the thoughts that it could be used in a phishing simulation, in order to demonstrate what could potentially happen. 

These URLs are shimmed using various providers trusted links – Facebook, Google, Slack all make use of open redirects and shimming (where applicable), but all this one does is log you out of your Office account, rather than steal the tokens. 

Example of a safe redirect (1 step):


Example of vulnerable open-redirect (2 step shim):

(Step 1)


(Right click on follow link and copy link and then you get step 2 shimmed link)

Shim bypass version (Step 2)


In-fact it appears as though you can switch to which is the mobile version. I’m not sure if it’s handled any differently but this was able to be switched after the link shim bypass:

Though Facebook are doing a better job of handling these, it seems as though the redirect shim expires in a shorter period of time, meaning it may have already done so.

If you’d prefer to switch this out with your Google account, logout and you can run with:

Open Authorisation Exploitation – Key Takeaways

There are many more examples of these, but you can find them yourself. Open redirects are everywhere too, you can grab them when you click on hyperlinks just by checking out the network tab on Chromium browsers…

I hope that this has proved beneficial for some people, and points out that just because you’re in the cloud, you aren’t immune from attacks. Some might even say this is easier than hacking your legacy infrastructure – I know I would – all I would have to do is convince your user to click a Facebook link, tell them it’s an embarrassing picture of them with a spoofed email from a colleague, then account access is granted. 

Ultimately, I hope that this has shown the need for a SOC despite moving to the cloud. However, it’s not all bad – I believe it is still easier to manage, however it’s just not impenetrable like some people may believe it is. 

find us on Youtube

The latest in cyber & IT news, now on youtube!

Our latest expert Intel

  • Types of cyber crime witnessed in the wild

    May 22, 2023
    Read full article
  • DEV-0538 | Hackers Targeting Recruiters

    May 18, 2023
    Read full article
  • onenote phishing

    OneNote Supply Chain Phishing

    April 12, 2023
    Read full article
  • The Crucial Shift In Ransomware Tactics

    March 24, 2023
    Read full article
  • edge

    Why Microsoft Edge is the best browser for business

    March 13, 2023
    Read full article
  • Windows 11 Business Premium

    A Journey to Modern Endpoint Management

    February 3, 2023
    Read full article
  • What is Open Authorisation Exploitation?

    January 23, 2023
    Read full article
  • Building the Right Business Culture to Manage Human Error - Ryan Pullen X ESW

    January 26, 2023
    Read full article
  • The Uber & Rockstar Hacks - Why there is no magic bullet.

    January 26, 2023
    Read full article
  • Open-Source Intelligence (OSINT) - Why it matters.

    January 26, 2023
    Read full article
  • TEDx Talk: Ryan Pullen – How clicking a link can cost millions.

    January 26, 2023
    Read full article
  • LOLbins & LOLlibs: What are they and why do they matter?

    January 26, 2023
    Read full article