OAuth Token Abuse
highoauth-token-abuse
Attackers exploit OAuth tokens to access connected applications, exfiltrate data, or perform unauthorized actions across integrated services
SpoofingElevation of PrivilegeInformation Disclosure
MITRE ATT&CK techniques
| ID | Name | Tactic |
|---|---|---|
| T1528 | Steal Application Access Token | Credential Access |
| T1550.001 | Application Access Token | Defense Evasion |
Common Weakness Enumeration
Mitigating controls
ctrl-oauth-1- Implement least-privilege OAuth scopes for all integrations
ctrl-oauth-2- Regularly audit and revoke unused OAuth app authorizations
ctrl-oauth-3- Monitor OAuth token usage for anomalous patterns
ctrl-oauth-4- Implement OAuth app allowlisting policies
ctrl-oauth-5- Use short-lived tokens with automatic refresh