#oauth

Cybersecurity today is less about single attacks and more about chains of small weaknesses that connect into big risks. One overlooked update, one misused account, or one hidden tool in the wrong hands can be enough to open the door. The news this week shows how attackers are mixing methods—combining stolen access, unpatched software, and clever tricks to move from small entry points to large

## Summary It is possible to redirect a user to another origin if the "proceed_to" value in the session store is set to a protocol-relative URL. ## Details The google_sign_in gem persists an optional URL for redirection after authentication. If this URL is set to a protocol-relative URL, it improperly passes the "same origin" check, and it's possible for the user to be redirected to another origin after authentication, possibly resulting in exposure of authentication information if this attack is chained with other attacks. Normally the value of this URL is only written and read by the library or the calling application. However, it may be possible to set this session value from a malicious site with a form submission. ## Impact Any Rails applications using the google_sign_in gem may be vulnerable, if this vector can be chained with another attack that is able to modify the OAuth2 request parameters. ## Workarounds No known workarounds. ## Credits This issue was responsibly r...

Google has revealed that the recent wave of attacks targeting Salesforce instances via Salesloft Drift is much broader in scope than previously thought, stating it impacts all integrations. "We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised," Google Threat Intelligence Group (GTIG) and

A group tracked as UNC6395 engaged in "widespread data theft" via compromised OAuth tokens from a third-party app called Salesloft Drift.

A new advisory from Google and Mandiant reveals a widespread data breach in Salesforce. Learn how UNC6395 bypassed…

A widespread data theft campaign has allowed hackers to breach sales automation platform Salesloft to steal OAuth and refresh tokens associated with the Drift artificial intelligence (AI) chat agent. The activity, assessed to be opportunistic in nature, has been attributed to a threat actor tracked by Google Threat Intelligence Group and Mandiant, tracked as UNC6395. "Beginning as early as

### Impact A vulnerability exists where sensitive information, such as OAuth tokens, is recorded in log files when an error occurs during the execution of an SQL query. An attacker could intentionally trigger an SQL error by methods such as placing a high load on the database. This could allow an attacker who has the authority to view the log files to illicitly acquire the recorded sensitive information. ### Patch This vulnerability has been fixed in the following pull request: https://github.com/traPtitech/traQ/pull/2787 It is possible that OAuth tokens issued before the patch was applied have already been recorded in the logs. To completely eliminate the security risk, server administrators are strongly recommended to revoke all existing OAuth tokens. ### Workaround If you cannot apply the update immediately, as a temporary workaround, please review access permissions for SQL error logs and strictly limit access to prevent unauthorized users from viewing them.

A flaw has been found in wong2 mcp-cli 1.13.0. Affected is the function redirectToAuthorization of the file /src/oauth/provider.js of the component oAuth Handler. This manipulation causes os command injection. The attack may be initiated remotely. The attack is considered to have high complexity. The exploitability is told to be difficult. The exploit has been published and may be used. This issue has been patched via commit 3562966.

Cybersecurity researchers have detailed a new cluster of activity where threat actors are impersonating enterprises with fake Microsoft OAuth applications to facilitate credential harvesting as part of account takeover attacks. "The fake Microsoft 365 applications impersonate various companies, including RingCentral, SharePoint, Adobe, and Docusign," Proofpoint said in a Thursday report. The

### Impact This vulnerability affects oauth2-proxy deployments using the `skip_auth_routes` configuration option with regex patterns. The vulnerability allows attackers to bypass authentication by crafting URLs with query parameters that satisfy the configured regex patterns, potentially gaining unauthorized access to protected resources. The issue stems from `skip_auth_routes` matching against the full request URI (path + query parameters) instead of just the path as documented. This discrepancy enables authentication bypass attacks where attackers append malicious query parameters to access protected endpoints. Example Attack: * Configuration: `skip_auth_routes = [ "^/foo/.*/bar$" ]` * Intended behavior: Allow `/foo/something/bar` * Actual vulnerability: Also allows `/foo/critical_endpoint?param=/bar` Deployments using `skip_auth_routes` with regex patterns containing wildcards or broad matching patterns are most at risk, especially when backend services ignore unknown query para...