Task 1 of 3
How Researchers Exploited OAuth in 50% of Major Apps
OAuth 2.0 is the login system behind "Sign in with Google", "Login with GitHub", "Connect with Facebook". It's on virtually every modern web app — and full of subtle implementation mistakes that lead to account takeovers.
In 2020, researchers at Salt Security analyzed hundreds of OAuth implementations. They found over 50% had at least one critical OAuth vulnerability — mostly involving improper redirect_uri validation or missing state parameters.
OAUTH FLOW — HOW IT'S SUPPOSED TO WORK
1
User clicks "Login with Critbook" on BlogApp
2
BlogApp sends user to: critbook.io/oauth/authorize?client_id=app-123&redirect_uri=https://blogapp.io/callback&state=RANDOM
3
User logs in to Critbook and approves BlogApp
4
Critbook redirects to: blogapp.io/callback?code=AUTH_CODE&state=RANDOM
5
BlogApp exchanges AUTH_CODE for access token (server-to-server)
6
BlogApp uses access token to read user's Critbook profile
Two critical OAuth bugs
- redirect_uri — must be exactly matched. If
https://blogapp.io/callbackis allowed,https://blogapp.io.evil.com/stealmust NOT be. - state parameter — a random value the client generates and validates. Prevents CSRF — without it, an attacker can force a victim to connect their account to the attacker's auth code.
1
What is the OAuth state parameter used for?
Answer all 1 question to continue