OAuth Token Backdoors Expose Enterprises to Persistent Access via Google and Microsoft SaaS Apps
What Happened — Researchers highlighted that OAuth tokens issued by Google and Microsoft SaaS platforms often have no expiration and are not automatically revoked, creating long‑lived backdoors. Attackers who obtain these tokens can bypass MFA and gain unrestricted access to corporate data and services.
Why It Matters for TPRM —
- Persistent tokens represent a hidden attack surface that traditional perimeter controls cannot see.
- Compromise of a single token can lead to lateral movement across multiple third‑party services used by a vendor.
- Unchecked token sprawl inflates third‑party risk scores and may violate contractual security requirements.
Who Is Affected — Cloud‑based SaaS providers (Google Workspace, Microsoft 365), their enterprise customers across all verticals, and any MSPs managing these environments.
Recommended Actions —
- Audit all OAuth grants for third‑party apps and enforce token expiration policies.
- Implement continuous monitoring for anomalous token usage and enforce Just‑In‑Time (JIT) access.
- Require vendors to provide token lifecycle management evidence in security questionnaires.
Technical Notes — Attack vector: stolen OAuth refresh tokens (no expiration) obtained via phishing, credential dumping, or insecure storage. No specific CVE; risk stems from default token policies. Data at risk includes emails, documents, calendar data, and any API‑exposed resources. Source: The Hacker News