Potential new Security Consideration - Malicious Clients (Consent Phishing)

[mpeck12]

Potential new Security Consideration - Malicious Clients, Consent Phishing, or other appropriate term:

As service providers adopt stronger user authentication methods, attackers seek additional means to gain access to resources. An attacker may attempt to register an attacker-controlled client with the authorization server, then attempt to trick resource owners into granting the client access to resources through a phishing attack [1][2][3][4]. The access request may not appear malicious to the user as it originates from the legitimate authorization server.

Authorization servers should enforce controls over client registration, as well as controls over the scopes that particular clients are allowed to request. Authorization servers should also allow administrators and/or users to view a list of clients that have been granted access to resources and provide the ability to revoke access.

[1] https://www.trendmicro.com/en_us/research/17/d/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks.html [2] https://www.proofpoint.com/us/blog/threat-insight/ta2552-uses-oauth-access-token-phishing-exploit-read-only-risks [3] https://www.microsoft.com/security/blog/2020/07/08/protecting-remote-workforce-application-attacks-consent-phishing/ [4] https://security.googleblog.com/2017/05/protecting-you-against-phishing.html