Security vendors are always under intense scrutiny when it comes to breaches—and rightfully so. The saying “the shoemaker walks barefoot” might work for cobblers, but in cybersecurity, barefoot walking is simply not an option. Even when you're running a tight ship, breaches can happen. Identity, long heralded as the new perimeter, is now evolving into a more nuanced truth: non-human identities (NHIs) are the true frontier.
In the recent Cyberhaven security incident, while details are still unfolding, a preliminary analysis reveals that a phishing campaign targeted one of their engineers. However, the real breach culprit is more sinister and insidious: an OAuth application granted elevated access to sensitive data. This incident highlights the critical need for robust NHI security and management—spanning secrets, certificates, tokens, API keys, and service accounts—in today's hyper-connected landscape.
What Really Happened?
The breach stemmed from the installation of a seemingly innocuous OAuth app in Cyberhaven’s Google Workspace. The app, ominously titled "Privacy Policy Extension," appeared legitimate but was, in fact, a Trojan horse controlled by a threat actor. Despite its deceptive nature, the app retained a “Verified” status in Google Workspace’s admin portal—raising some questions about the ease of getting an application verified by Google, with little actual verification.
Quick background check? The domain for the app, hxxps://checkpolicy[dot]site, was purchased just a month before the breach. A domain this fresh raises as many red flags as a phish in a sea of sharks.
What are OAuth apps?
OAuth apps leverage the OAuth 2.0 protocol to enable third-party or custom-built apps to securely access services on behalf of users. When users grant permissions (scopes), these apps receive tokens to interact with APIs—no passwords required. Convenient, yes. But when mismanaged? A backdoor in plain sight.
For instance, an OAuth app might access Google Drive files or send Gmail messages within defined scopes. But as Cyberhaven discovered, those permissions can turn into a powerful weapon when exploited.
The Attack Process
Once installed, the malicious OAuth app exploited its permissions to interact with sensitive resources. Specifically, it requested access to the https://www.googleapis.com/auth/chromewebstore scope, enabling it to edit and publish Chrome Web Store items. This subtlety allowed the attackers to deploy compromised versions of extensions without triggering alarms. Game over.
In summary, once it has installed its game over for the organization, attackers can instantly publish new malicious versions of already deployed Chrome extensions without a warning or an approval process, and that's exactly what has happened to CyberHaven.
The Aftermath: Post-Mortem Analysis
While the malicious extension was live, unsuspecting users received updates laden with malicious payloads. Sensitive session tokens, exposed to an attacker-controlled server, allowed the impersonation of Cyberhaven’s customers. The resulting chaos ranged from data theft to potential platform-wide disruptions.
Best Practices Around OAuth Apps
OAuth apps represent NHIs and introduce unique attack surfaces. Both Google Workspace and Entra ID enable their use across platforms, but they require vigilant governance.
Rules of Thumb for OAuth App Management:
Allowlist Over Blocklist: Limit app permissions to those explicitly vetted and approved.
Scope Hygiene: Ensure requested scopes align with the app’s purported function. (Does your weather app really need access to your calendar?)
Here’s a detailed guide to help you accomplish it: Google Workspace: Entra ID:
Reputation Checks:
High adoption rates often indicate reliability.
Beware of newly created domains or apps with questionable lineage.
Behavioral Monitoring:
Track app activities and geolocations of API calls.
Set alerts for high-risk operations, such as write or edit permissions.
How Clutch Enhances OAuth Security
At Clutch, we treat OAuth apps with the same rigor as other NHIs. Our platform:
Identifies risky apps across Entra ID and Google Workspace.
Monitors app behaviors for anomalies.
Sends proactive alerts for suspicious activity.
Don’t be the next barefoot (shoemaker or not) - ensure your OAuth apps and NHIs are secured with the precision and vigilance they demand.
