OAuth is an open authorization standard that enables applications to access user resources across different platforms without sharing passwords, using secure tokens instead of credentials. OAuth 2.0 is the current widely accepted industry standard that is ubiquitous across the internet.
OAuth allows users to grant third-party applications limited access to their accounts on another service without exposing their passwords. Instead of sharing credentials, the resource owner grants permission through the authorization server, which issues access tokens that the third-party application uses to access specific resources.
How OAuth Works
The user attempts to use a third-party application that requires access to resources on another platform
The application redirects the user to the authorization server (e.g., Google, Microsoft)
The user authenticates and grants the specific permissions requested
The authorization server issues an access token to the application
The application uses the access token to access the permitted resources
OAuth Security Risks
Consent Phishing: Attackers create malicious applications that request OAuth permissions from users, granting the attacker persistent access to email, files, and other resources. Unlike password phishing, OAuth access persists beyond password resets.
OAuth Token Theft: Stolen access tokens can be used to impersonate users without requiring their passwords or bypassing MFA, since the token already represents an authenticated session.
Overprivileged Applications: Third-party applications granted excessive OAuth permissions create unnecessary risk if those applications are compromised.
Malicious App Registration: Attackers register seemingly legitimate cloud applications to trick users into granting OAuth access, then use that access for persistent account compromise.
Pangratis detects OAuth-based attacks including consent phishing, where malicious applications request permissions that would grant attackers persistent access to Microsoft 365 or Google Workspace environments.