RFC 8628 enables auth on devices like TVs and IoT. Elegant design. Exploitable trust assumptions.
Not a coding flaw, an assumption users can distinguish legitimate from malicious authorization requests.
Recon > vishing as IT support > victim authorizes malicious OAuth app > persistent token > data exfil.
From data theft to enterprise extortion. Technical adaptability and patient persistence across months.
Google, Qantas, Allianz (1.1M records), LVMH, Chanel, Adidas. Systematic targeting, not opportunistic.
Attackers gained persistent access without hacking servers or exploiting vulns. Identity is the new perimeter.
MFA protects auth steps, not authorization decisions. Users trained to click through grant broad permissions.
75% of major IdPs support device flow by default. Hundreds of SaaS apps = exponential attack surface.
Conditional access. OAuth app inventories. Disable device flow. Real-time monitoring. Zero trust scoping.
Assume compromise. Distinguish legitimate from malicious authorizations. Continuous adaptation.