Hacker News new | past | comments | ask | show | jobs | submit login

If only tokens minted by MS were in scope of the vulnerability because of Harvest's outlook integration, maybe something like "Harvest OAuth CSRF Leaks Tokens of Microsoft Outlook Users" or "CSRF in Harvest's Outlook Integration Leaks User Tokens".

If you want to add any editorializing around mitigation, linking to the OAuth RFC[0] that dictates a MUST for binding the users auth state with the request to prevent such attacks would be instructive to readers.

[0] https://datatracker.ietf.org/doc/html/rfc6749#section-10.12




Oh yes, that sounds better. I am changing the title now.

Updated to "Stealing OAuth tokens of connected Microsoft accounts via open redirect in Harvest App"


Ok, I've updated the title above to that (shortened a bit to fit HN's 80 char limit). Thanks!

(Submitted title was "Microsoft Account's OAuth tokens leaking via open redirect in Harvest")




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: