Comment by nurple
3 years ago
The headline seems pretty unfair to Microsoft here, seemingly to capitalize on the press of their recent auth disaster. The first thought that came to my mind on reading the headline was "oh great, another MS breach".
These are in fact harvest's tokens, which only erroneously exposed access to their app, because of an injection vuln in their code, and would be exactly as compromised behind any other IdP.
Hi, author of the blog post here. Yes I understand your concern and I tried keeping Microsoft's name out of the title but couldn't think of anything else. Since the vulnerability only affects the oauth implementation for the connection with Microsoft accounts. Previously the title was "Microsoft OAuth token leak via open redirect in Harvest App" but later I changed it to "Microsoft Account's OAuth tokens leaking via open redirect in Harvest App". I am still considering to change it and open to suggestions.
If only tokens minted by MS were in scope of the vulnerability because of Harvest's outlook integration, maybe something like "Harvest OAuth CSRF Leaks Tokens of Microsoft Outlook Users" or "CSRF in Harvest's Outlook Integration Leaks User Tokens".
If you want to add any editorializing around mitigation, linking to the OAuth RFC[0] that dictates a MUST for binding the users auth state with the request to prevent such attacks would be instructive to readers.
[0] https://datatracker.ietf.org/doc/html/rfc6749#section-10.12
Oh yes, that sounds better. I am changing the title now.
Updated to "Stealing OAuth tokens of connected Microsoft accounts via open redirect in Harvest App"
1 reply →
Agreed, that was my thoughts as well, to the point where I even wondered if the article knew how oauth works to claim these are msft tokens