by peter


Application Access Token Abuse Explained


Risk Rating: Medium
Likelihood: 2/5
Impact: 4/5


  • Exposed API credentials
  • Expoded GIT data

Application Access Token Abuse Overview

Application Access Token Abuse attacks, such as Pawn Storm uses and abuses Open Authentication (OAuth) and similar mechanisms in advanced social engineering schemes, to gain access to applications and systems.

Pawn Storm used different strategies to gain information from their targets. One method in particular was to abuse Open Authentication (OAuth) in advanced social engineering schemes, targeting high profile users of free webmail between 2015 and 2016.

The group also set up aggressive credential phishing attacks against the Democratic National Convention (DNC), the Christian Democratic Union of Germany (CDU), the parliament and government of Turkey, the parliament of Montenegro,the World Anti-Doping Agency (WADA), Al Jazeera and many other organizations using their Application Access Token Abuse attack. They continue to use several malicious applications that abuse OAuth access tokens to gain access to target email accounts, including Gmail and Yahoo Mail.

It is now something that is monitored for, but can be rather devastating. The best way top defend against this attack is careful use of API and OAuth keys and double / triple checking in the application code process.

What you need to know

With an OAuth access token, a hacker or attacker can use the user-granted REST API to perform functions such as email searching and contact enumeration. They can also use it to interact with other services that use that OAuth token for authentication. With a cloud-based email service, once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a “refresh” token enabling background access is awarded.

Detecting Application Access Token Abuse can be difficult but it is something that can be easily detected by most professional SOCs and a lot of SEIM devices.

How the Application Access Token Abuse attack happens

Attackers may use the application access token abuse attack to bypass the typical authentication process and access restricted accounts, information or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials

Attack Sources

Compromised access tokens from Application Access Token Abuse attacks may be used as an initial step to compromising other services. For example, if a token grants access to a victim’s primary email, the attacker may be able to extend access to all other services that the target subscribes to by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to countermeasures like changing passwords. It is common to see this attack being performed following a success credential stuffing attack or success account brute force attack. Application Access Token Abuse can lead to the compromise of a significant number of single user accounts.