The Back Door Attackers Know About — and Most Security Teams Still Haven’t Closed
Summary
A significant security vulnerability exists where persistent OAuth tokens, generated by employees connecting AI tools and productivity apps to Google or Microsoft, lack expiration dates and automatic cleanup. Attackers can exploit these tokens to gain unauthorized access without needing passwords, bypassing perimeter controls and MFA.
IFF Assessment
This vulnerability allows attackers to bypass standard security measures like perimeter controls and MFA, granting them persistent access without credentials, which is detrimental to defenders.
Defender Context
Organizations need to implement strict monitoring and management of OAuth tokens, particularly those generated by third-party applications connecting to corporate accounts. Regularly reviewing and revoking these tokens, even those without explicit expiration, is crucial to mitigate the risk of unauthorized access and persistent compromises.