Comment by andix
3 years ago
I don't understand why this issue was not communicated to Microsoft. They could've just revoked access for this oauth application until the issue was fixed.
Although there are probably thousands of similar bad implementations out there that are connected to Microsoft via oauth.
I did not know that was possible! I would never have thought to do that, personally.
Every oauth application needs to be registered individually, togther with a client secret or certificate. In case of Microsoft via the Azure portal. That registration can (technically) be revoked by the oauth provider.
I have no idea if Microsoft would react to such a report, and what's the correct channel to submit it. But bug reports or abuse reports they usually take seriously.