By : kaisec February 27, 2026

Author Credit: Bugcrowd

You see "Log in with Google/GitHub" everywhere. To a user, it’s convenience. To a hacker, it’s a direct path to Account Takeover (ATO).

If you understand the flow, you can steal the tokens to the kingdom without ever touching a password. Let's get into it.

What is OAuth? 🔑

OAuth is an authorization framework. Think of it like a valet key for your car. You give the valet (the app) a special key that lets them park your car (access your data), but it doesn't let them open the trunk or glovebox (full account control).

...unless the implementation is broken, then they take the whole car.

How it works ⚙️

  1. User clicks "Log in with xyz"
  2. App redirects you to the Provider (like Google)
  3. Provider asks: "Allow app to see your email?"
  4. User clicks “Yes”
  5. Provider sends a code to a redirect_uri (back to the app)
  6. App swaps that code for an access_token

The Significance (ATO)

Why hunt this? Because if you break OAuth, you usually get Account Takeover (ATO). If an attacker can steal your authorization code or token, they are you. It doesn't matter if you have 2FA enabled—the OAuth token often bypasses all of that. This is almost always a Critical (P1) finding. 💸

Top Attack Vectors 🎯

The weak link is usually the redirect_uri.

1. Redirect URI Poisoning

Can you change the callback URL to attacker[.]com? If the provider doesn't whitelist it strictly, they might send the victim's code directly to you.

2. The "state" Parameter

This prevents CSRF. If it's missing or static, you can trick a victim into linking your account to their profile, allowing you to log in as them later.

3. Token Leakage

Check history and logs. Are tokens leaking in the URL or Referer headers?

Dirty Tricks 🪄

  • Parameter Pollution: Try sending two redirect_uris: ?redirect_uri=legit[.]com&redirect_uri=evil[.]com. Sometimes the server validates the first but uses the second.
  • Open Redirect Chaining: If the whitelist allows app[.]com/logout, but that page has an Open Redirect, you can chain them: redirect_uri=app[.]com/logout?next=evil[.]com.

BONUS: Always check the scope parameter. Sometimes apps ask for read_only access, but if you manually change the scope in the URL to admin or write, the backend might just accept it and give you elevated privileges.

Takeaway 🏁

Validate the redirect. Check the state. Get paid.

Happy Hunting.🐞

Original content by Bugcrowd. Source: Twitter/X Thread

Copyright ©2026 Developed By kaisec