Universal Cross-app Attacks - Exploiting and Securing OAuth 2.0 in Integration Platforms

Explore critical security vulnerabilities in OAuth 2.0 implementations within integration platforms through this 23-minute conference presentation from USENIX Security '25. Discover how researchers from The Chinese University of Hong Kong and Samsung Research America identified fundamental flaws in multi-app OAuth authorizations that enable account linking across workflow automation platforms, virtual assistants, and smart home systems. Learn about two newly unveiled platform-wide attacks: Cross-app OAuth Account Takeover (COAT) and Cross-app OAuth Request Forgery (CORF), which exploit the lack of app differentiation in these systems to enable unauthorized access and privacy breaches. Examine the development and application of COVScan, a semi-automated black-box testing tool designed to systematically discover cross-app vulnerabilities in real-world platforms. Review findings from a comprehensive measurement study of 18 popular consumer and enterprise integration platforms, revealing that 11 are vulnerable to COAT attacks and 5 to CORF attacks, including platforms operated by major technology companies like Microsoft, Google, and Amazon. Understand the widespread impact of these vulnerabilities, which can lead to unauthorized control over users' services and devices, covert logging of sensitive information, and ecosystem-wide compromises, including one vulnerability rated CVE with CVSS 9.6. Gain insights into the responsible disclosure process and collaborative efforts with affected vendors to implement comprehensive security solutions for protecting OAuth 2.0 implementations in integration platform environments.