Four key areas to consider when you’re investigating an OAuth grant, and how Nudge Security can help.
For most employees, OAuth grants provide a familiar “easy button” for creating new accounts or integrations. The ubiquitous OAuth permission pane makes it effortless to hand away whatever permissions are necessary to unlock useful functionality. I find a new tool to make my job easier, I approve whatever the app asks for, and presto—I’m speeding through my work.
In other words, most employees who approve OAuth grants aren't thinking about the type of access they're giving away or the potential risks associated with a particular grant. They’re (understandably) much more focused on how access to a given app will help them succeed at work.
Security and IT teams, on the other hand, have a laundry list of OAuth concerns to worry about. When a user creates a new grant, these teams need to determine whether the grant is malicious, whether the app provider is secure, or even just whether the app's permissions align with the organization's risk profile. And while creating new OAuth grants is practically effortless, getting visibility of risk insights is far from straightforward. In fact, even getting a clear picture of what permissions users have granted can be a challenge.
Let’s take a look at the key OAuth risk insights you should evaluate when you investigate an OAuth grant and where you can find that information.
Download our free checklist here. →
OAuth grant scopes can provide clear indicators about the potential risk a grant could pose to your organization. Certain scopes can provide threat actors with important access to your environment, making grants with permissive scopes especially important to investigate and monitor. For example, Russian threat actor Midnight Blizzard abused Microsoft OAuth grants to gain full access to Office 365 Exchange Online mailboxes of Microsoft employees.
To find out the scopes associated with a particular app, you can access each app’s OAuth consent screen to review its requested scopes, or you can check API access logs for scope usage. As a starting point for understanding whether any scopes could be cause for concern or provide exploitable access, you can cross-reference them with lists of the scopes Google considers sensitive or restricted. Note that while you can restrict access to grants with these scopes in the admin panel, Google doesn’t easily identify which apps fall into this category outside of these lists.
Registration details such as the client ID, reply URL, publisher name, and publisher email address can help you catch indications that an app is potentially malicious or even just poorly configured. For example, an app published with a personal email address or a Google group could pose a security risk to your organization, even if the app appears to be legitimate otherwise. Registration details can also expose indicators that an app’s creator is trying to camouflage a malicious app as a trustworthy one, such as using “leet speak” to make a URL look like a familiar legitimate app at first glance.
To fully evaluate an app’s registration information, you’ll need to seek out multiple sources. For example, you can perform a WHOIS lookup on the reply URL, cross-reference the publisher email domains with official company domains, and use sources like Have I Been Pwned to determine if the email address may have been compromised. Make sure to consider the domain’s age, reputation and threat indicators, which can provide evidence of previous misuse or reveal that the domain was created recently.
Certain reputational indicators can help you determine whether an app provider is legitimate. For example, Google or Microsoft both have methods of verifying the identity of app publishers. Although this can serve as a trust indicator, it’s important to also consider other factors given that threat actors have taken advantage of verified statuses in previous attacks. You should also assess the app provider’s security program for additional context.
To find this information on your own, start by verifying whether the app is listed in official marketplaces like Google Workspace Marketplace or Microsoft Azure Marketplace. These listings will also tell you whether or not an app has been verified with the app publisher. Next, look into the vendor’s security page, security certifications, security program, and breach history for additional context.
Popularity can provide another potential trust indicator. If an app has millions of users, or even just an existing foothold within your company, it may help to bolster your confidence in the app.
To assess an app’s popularity, you can check review sites for adoption information outside of your organization. You can also check your own organization’s usage data by checking cloud service dashboards such as Google Admin Console and Microsoft Azure AD.
Nudge Security helps you manage OAuth risks at scale by discovering and classifying your organization’s OAuth grants, alerting you to grants with high OAuth risk scores, and enabling you to revoke Google and Microsoft OAuth grants automatically.
