1 of 26

Universal Cross-app Attacks:

Exploiting and Securing OAuth 2.0 in Integration Platforms

2025. 8. 6.

USENIX `25

Kaixuan Luo, Xianbo Wang, Pui Ho Adonis Fung, Wing Cheong Lau, and Julien Lecomte

The Chinese University of Hong Kong

Samsung Research America

2 of 26

Motivation

2

  • Integration Platforms

https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.crystalloids.com%2Finsights%2Fapplication-integration-google-cloud&psig=AOvVaw2bguVIyhb71Mc895TOFHNT&ust=1754511393443000&source=images&cd=vfe&opi=89978449&ved=0CBUQjRxqGAoTCNjamrW-9I4DFQAAAAAdAAAAABClAQ

https://www.des-show.com/app/uploads/automation-1.jpg

An integration platforms are a cloud-based platform for creating interconnected ecosystems

Smart Homes

Workflow Automation platforms

🡺 The primary goal is to enable a wide range of external services to be orchestrated on behalf of users

Virtual Assistant

https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.nocutnews.co.kr%2Fnews%2F5251002&psig=AOvVaw26GETbCZeqAoomhgI4sgJV&ust=1754542937596000&source=images&cd=vfe&opi=89978449&ved=0CBUQjRxqFwoTCJD7vJS09Y4DFQAAAAAdAAAAABAE

3 of 26

Motivation

3

  • Integration Platforms

https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.crystalloids.com%2Finsights%2Fapplication-integration-google-cloud&psig=AOvVaw2bguVIyhb71Mc895TOFHNT&ust=1754511393443000&source=images&cd=vfe&opi=89978449&ved=0CBUQjRxqGAoTCNjamrW-9I4DFQAAAAAdAAAAABClAQ

https://www.des-show.com/app/uploads/automation-1.jpg

An integration platforms are a cloud-based platform for creating interconnected ecosystems

Smart Homes

Workflow Automation platforms

🡺 The primary goal is to enable a wide range of external services to be orchestrated on behalf of users

Virtual Assistant

https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.nocutnews.co.kr%2Fnews%2F5251002&psig=AOvVaw26GETbCZeqAoomhgI4sgJV&ust=1754542937596000&source=images&cd=vfe&opi=89978449&ved=0CBUQjRxqFwoTCJD7vJS09Y4DFQAAAAAdAAAAABAE

4 of 26

Motivation

4

🡺 Account linking can connect end-users’ account with third-party apps

https://www.google.com/imgres?q=Dropbox&imgurl=https%3A%2F%2Flookaside.fbsbx.com%2Flookaside%2Fcrawler%2Fmedia%2F%3Fmedia_id%3D100064666484929&imgrefurl=https%3A%2F%2Fwww.facebook.com%2FDropbox%2F&docid=gQUC8XtzG3Li9M&tbnid=9wQH_6mZdn4uHM&vet=12ahUKEwijwLTJtvWOAxUDnK8BHW7ZGGQQM3oECBoQAA..i&w=400&h=400&hcb=2&ved=2ahUKEwijwLTJtvWOAxUDnK8BHW7ZGGQQM3oECBoQAA

  • To implement an integratation platform, account linking is essential
  • For this purpose, a number of people use OAuth2.0 in integrated platform

Integrated Platform

Connect to dropbox!

Dropbox

Gmail

OAuth check logic

OAuth check logic

https://www.google.com/url?sa=i&url=https%3A%2F%2Fhelp.wheniwork.com%2Farticles%2Fgoogle-login%2F&psig=AOvVaw1qT_29kZn9Q7xyyIz5qpeI&ust=1754544188799000&source=images&cd=vfe&opi=89978449&ved=0CBUQjRxqFwoTCOjb2s249Y4DFQAAAAAdAAAAABA_

5 of 26

Motivation

5

  • I’ll introduce the attack method to this integrated platform architecture
  • Unlike traditional methods, the integration platform environment has an inverted structure
  • This causes two critical attacks

6 of 26

Background

6

  • OAuth 2.0 (Open Authorization 2.0)

🡺 OAuth is an open standard for access delegation

🡺 Grant access to websites or applications to their information on other websites

Examples of OAuth2.0

https://www.google.com/url?sa=i&url=https%3A%2F%2Fvelog.io%2F%40duck-ach%2FSSO-SSOSingle-Sign-On%25EC%2597%2590-%25EB%258C%2580%25ED%2595%25B4%25EC%2584%259C&psig=AOvVaw2tS32rOUBGzzRXkXzwmp9g&ust=1754544670097000&source=images&cd=vfe&opi=89978449&ved=0CBUQjRxqFwoTCIirkLG69Y4DFQAAAAAdAAAAABAu

7 of 26

Background

7

  • Mechanism of OAuth

🡺 I'll give you an example to help you understand

Front manager

My room

me

: master key of my room

8 of 26

Background

8

  • It is dangerous to give master key to cleaning company staff
  • So I ask for permissions to Front manager

Front manager

me

Cleaning Company staff

Please give spare key to

Cleaning Company staff for 1 hours

Okay, You've been identified. I'll issue you an extra key

9 of 26

Background

9

  • Staff will receive extra key from manager

Front manager

Cleaning Company staff

Please give spare key to me

Okay, I'll issue you an extra key

: extra key of my room with 1 hours limits

10 of 26

Background

10

  • I can request some service to staff with delegated permissons

Cleaning Company staff

Please clean my restroom, bed …

Okay, I’ll get in

: extra key of my room with 1 hours limits

My room

me

11 of 26

Background

11

Front manager

My room

me

Cleaning Company staff

: Resource owner (user)

: Authorization Server (AS)

Give access token after authorization

: Access token

: Resources

: Authorization information

: Third-party apps

12 of 26

Background

12

  • OAuth 2.0 in integrated platform

Traditional OAuth

: Authorization is delegated by trusted sites

,

,

OAuth in Integration Platforms

: Authorization is delegated by unknown entities

For instance, Google Home requests access to IoT devices

For instance, Outlook requests access to google server

🡺 Google server gives access to Outlook

🡺 IoT devices give access to Google Home

13 of 26

Background

13

  • Protocol flow of OAuth authorization in integration platforms

Platform (i.g. Google Home)

14 of 26

Background

14

  • Protocol flow of OAuth authorization in integration platforms

Third-party apps

15 of 26

Background

15

  • Protocol flow of OAuth authorization in integration platforms

  1. User connect to app
  2. Backend redirect user to AS login page

https://app.com/authorize?state=foo

&redirect_uri=https://platform.com/redirect

  • State 🡺 Random value for identify app
  • Return_uri 🡺 link for callback

3. After login, they issue a code

This code can be exchanged to access token

4. They redirect to backend server (return_uri) � with code

Backend server checks the state / return_uri is tampered

State : mitigation for CSRF (binded in session)�Return uri : mitigation for Account Takeover attack

16 of 26

Background

16

  • But in Integration platforms there are lacks of checking process between apps (Cross-app)

Root Cause is they doesn’t compare the state and return_uri parameters

They solely trust state or return_uri 🡺 It can cause two kinds of attacks

COAT (Cross-app OAuth Account Takeover)

CORF (Cross-app OAuth Request Forgery)

17 of 26

Threat Model

17

  • Assume the presence of malicious apps on the platform

Ease of malicious app penetration

      • Open Marketplace: Anyone can register for the app.
    • Endure Vetting : AS is an external server, so it can operate normally during the review process and perform malicious actions after approval.
    • Bypass Vetting: Some platforms offer channels to share apps without the screening process (e.g., sharing private links).

18 of 26

Attack Scenario

18

Security requirements of existing OAuth

  • Redirect_uri matching (check that AS matches preregistered URIs).
  • State matching (CSRF token role, OAuth client checks session consistency).

�These requirements also apply to integrated platforms,

but they are insufficient to protect multi-app environment

state : For AS, the state is opaque, and the platform may not be aware of it through multiple ASs.redirect_uri : may be manipulated by AS

19 of 26

COAT (Cross-app OAuth Account Takeover)

19

  • The malicious app redirects from its own authentication endpoint to the authentication endpoint of the target benign app
  • Allowing the authentication code of the benign app to be sent to the token endpoint of the malicious app

If victim connected to Malicious app,

this app send crafted link to benign app

Benign app thinks that this is come from Backend server, they give code to backend.

Backend server only check the ID with state

So they think that this code is from Malicious app

They give Access token to Malicious app with benign code

20 of 26

CORF

20

  • The state does not bind to a particular app, that could also allow the state for other apps to be valid.
  • This occurs when the platform relies only on app-specific redirect_uri to track Active apps

They first collect benign app’s code with Attacker’s device

If victim connected to malicious app, this app redirect with benign code to backend

Backend thinks that this code is come from benign app

Because they only check the redirect_uri

🡺 They bind victim client with attacker’s account

21 of 26

Single-click COAT

21

  • In worst-case they can cause single-click COAT
  • If user once connected to the benign app, the app usually use silent auth for comfort
    • Silent auth doesn’t request authorization for another access

22 of 26

Single-click COAT

22

  • In worst-case they can cause single-click COAT
  • If user once connected to the benign app, the app usually use silent auth for comfort
    • Silent auth doesn’t request authorization for another access

23 of 26

Mitigation

23

  • To defend this technique, just compare the state and return_uri parameter

They made COVScan tools,

which use decision tree to find vuln

Create a globally unique identifier (App ID) for each app to include it in both the state and redirect_uri path/subdomain

24 of 26

Evaluation

24

16 out of 18 integration platforms are susceptible to these attacks

25 of 26

Pros and Cons�

25

Pros

  • They suggest novel threat model & attack types
  • They tried to make the scenario realistic
  • They found a number of bugs in platforms (bugbounty)

Cons

  • All attack should be started with connected to malicious app 🡺 Strong assumption
      • It is hard to implement some certain defenses

26 of 26

Thank you.

26