Field Notes

Your OAuth grant list is a list of companies whose worst day becomes your worst day.

By Nate Lee, co-founder of TrustMind
Your OAuth grant list is a list of companies whose worst day becomes your worst day.

Your OAuth grant list is a list of companies whose worst day becomes your worst day.

A Context.ai employee went looking for Roblox auto-farm mods because you gotta get dem Robux. Unfortunately for them, it contained an infostealer that ran, stole browser-stored credentials, session tokens, and OAuth grants for the user's Google Workspace.

From that breach of Context.ai, attackers obtained the OAuth token that Context.ai held for a Vercel employee's Google Workspace account.

They used it to act as that employee: read their email, access their files, use whatever that account was already connected to. Vercel hasn't confirmed the exact path from there but we know that it gave the attackers access to environment variables that were stored in plaintext once they were inside, many of which contained real secrets.

Vercel has a mature security program but ended up here because of a Roblox farming cheat on a laptop at a completely different company.

The user who connected Context.ai's app didn't do anything "wrong". They clicked through a consent screen that grants broad access in seconds and is forgotten immediately. Multiply that across a thousand employees connecting tools they actually need, and you have an invisible web of third-party trust with minimal oversight.

When those tokens are used by attackers, your IdP logs show a legitimate app doing what you allowed it to do.

So what can you do?

Ensure that you actually look at, or ideally, control what grants your users' give

Understand which third-party apps hold tokens and what those tokens can reach.

Minimize what apps receive broad access and push back on unjustified "allow everything in the domain" scopes.

Alerting on anomalous token usage like new locations, weird hours, unusual bulk actions.

A rotation runbook you've actually rehearsed for when a vendor gets popped.

AI assistants will often need deep access to be useful. A SOC 2 report, lovingly crafted by Delve in this case, doesn't change that. What you can decide is who you give access to, what access they get, and how fast you can cut them off and rotate everything they could see.

How confident are you that you could identify and rotate every secret a single vendor could get access to within 24 hours?