Hackers are exploiting OAuth loophole for persistent access - and resetting your password won't save you

News
By published

Criminals retain access even after MFA and credentials resets

Representational image of a hacker
(Image credit: Shutterstock)
  • Researchers have observed attackers weaponizing OAuth apps
  • Attackers gain access that persists even through password changes and MFA
  • This isn't just a proof of concept - it's been observed in the wild

Researchers at Proofpoint have discovered a tactic used by threat actors to weaponize OAuth applications in order to gain persistent access within compromised environments - where hackers can retain access even after MFA or a password reset is carried out.

This attack has the potential to be devastating, as an attacker with access to a cloud account could open the door for a series of other intrusions. This account access could then be used to create and authorize internal applications with custom permissions - allowing the access to files, communications, and sidestepping security.

Cybercriminals have increasingly used cloud account takeover (ATO) tactics in recent years - as it allows them to hijack accounts, exfiltrate information, and use this as a foothold for other attacks. Both frequency and severity has increased, with strategies fast evolving.

Persistent access

The researchers have developed a proof of concept to outline how this attack might look in the wild, building a tool that automates the creation of malicious internal applications within the breached cloud environment.

A real-world example was also discovered when experts detected a successful login attempt, which, based on threat intelligence, is likely to be associated with ‘Adversary-in-the-middle’ social engineering attacks.

“After approximately 4 days the user's password was changed, following which we observed failed login attempts from a Nigerian residential IP address, suggesting the threat actor's possible origin,” the researchers explain.

“However, the application remained active. This case study serves as a concrete example of the attack patterns discussed in our blog, demonstrating that these threats are not merely theoretical - but active, exploited risks in the current threat landscape.”

The only way to revoke access in these cases before the expiration of the secret credentials (which remain valid for two years) is by manually removing permissions, so make sure to consistently review and account permissions regularly and continuously monitor applications.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Ellen Jennings-Trace
Ellen Jennings-Trace
Staff Writer

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.