The Accidental Discovery of a New Vulnerability in Google's OAuth Implementation

Beware, dear friends, the cautionary tale of the cloud provider that broke its own security model. Ignoring RFCs! Putting plaintext passwords in scripts - and printing them in books! It's a crazy story, but one that may nonetheless resonate with enterprise security practitioners everywhere.

In early 2021, I identified a client impersonation vulnerability in a series of Google "first-party" applications. This vulnerability allows an attacker to present themselves both to a user and to Google as one of these applications, …

books cloud cloud provider discovery enterprise enterprise security friends google implementation may new vulnerability oauth own passwords plaintext printing scripts security security practitioners story vulnerability