Researchers Leveraged OAuth Misconfiguration to Access Sensitive Data Without Restrictions

A security researcher identified as Remy disclosed a critical vulnerability discovered during a YesWeHack bug bounty engagement.

The researcher uncovered exposed OAuth credentials that granted unrestricted access to sensitive user data, demonstrating how a seemingly minor misconfiguration can lead to severe security breaches.

This incident highlights the ongoing challenges organizations face in properly implementing OAuth authentication systems.

OAuth 2.0, an industry-standard protocol for authorization, is widely implemented across web applications to enable secure third-party access to user resources without exposing credentials.

However, when improperly configured, these systems can inadvertently expose access tokens or client credentials, creating significant security vulnerabilities.

In this case, the misconfiguration allowed the researcher to bypass intended access controls entirely.

RMSec analysts, upon reviewing the findings, noted that this type of vulnerability represents a common yet dangerous oversight in API security.

Their assessment confirmed the severity of the issue, classifying it as a critical vulnerability that could have affected thousands of users if discovered by malicious actors rather than through the ethical bug bounty program.

The exposed credentials provided the researcher with elevated privileges, allowing access to user profiles, personal information, and potentially financial data stored within the application’s database.

The target company, which remains unnamed in accordance with responsible disclosure practices, patched the vulnerability within 24 hours of notification.

OAuth Client Credential Exploitation

The exploitation process began when the researcher discovered client credentials within the application’s frontend code.

While examining network traffic during normal application use, Remy identified OAuth token requests that exposed the client_id and client_secret parameters, which should never be publicly accessible.

The researcher demonstrated the vulnerability using a simple script to obtain access tokens directly:-

import requests

url = "https://api.target-company.com/oauth/token"
payload = {
    "grant_type": "client_credentials",
    "client_id": "discovered_client_id",
    "client_secret": "discovered_client_secret",
    "scope": "read write delete"
}

response = requests. Post(url, data=payload)
token = response.json()["access_token"]

With the obtained token, the researcher could make authenticated API calls with elevated privileges, accessing endpoints that should have been restricted to administrative users only.

The scope of the token (“read write delete”) provided virtually unrestricted access to the entire API ecosystem.

What made this vulnerability particularly severe was that the client credentials were configured for a service account with administrative privileges rather than being limited to the specific resources needed by the client application.

This represents a fundamental violation of the principle of least privilege in security design.

The report serves as a reminder for developers to implement proper OAuth configuration practices, including secure storage of client secrets, appropriate scope limitations, and regular security audits of authentication systems.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy

The post Researchers Leveraged OAuth Misconfiguration to Access Sensitive Data Without Restrictions appeared first on Cyber Security News.