upvote

points

by losvedir18 hours ago |
comments
upvoteby mooreds18 hours ago|
next
[-]
This was probably partly a Google refresh token theft (given the length of the access). No inside info, just looking at how the attack occurred.

OAuth 2.1[0] (an RFC that has been around longer than I've been at my employer) recommends some protections around refresh tokens, either making them sender constrained (tied to the client application by public/private key cryptography) or one-time use with revocation if it is used multiple times.

This is recommended for public clients, but I think makes sense for all clients.

The first option is more difficult to implement, but is similar to the IP address solution you suggest. More robust though.

The second option would have made this attack more difficult because the refresh token held by the legit client, context.ai, would have stopped working, presumably triggering someone to look into why and wonder if the tokens had been stolen.

0: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1

reply
upvoteby hvb216 hours ago|
parent|
[-]
One time use of refresh tokens is really common? Where each refresh will get you a new access token AND a new refresh token?

That's standard in oidc I believe

reply
upvoteby mooreds16 hours ago|
parent|
[-]
I don't have data on whether it is common, but I know a few OAuth vendors support it.
reply
upvoteby wouldbecouldbe18 hours ago|
prev|
[-]
I mean the admin account had visibility of clients env vars, thats maybe not really great in the first place.
reply
upvoteby iririririr17 hours ago|
parent|
[-]
you'd think. but this is a js dev world.

nextjs app bake all env vars on the client side code!! it's all public, unless you prefix the name with private_ or something.

reply
upvoteby rozenmd16 hours ago|
parent|
[-]
This is incorrect.

You preface with PUBLIC_ to expose them in client side code.

reply