When I log in with OAuth, does the app receive my password?

No, the greatest advantage of OAuth is that your password is never shared with the app. What the app receives is an access token - a temporary key - not your actual password. However, with an access token, the app can access your data within the scope of granted permissions, so you need to carefully evaluate which permissions to allow.

Can multi-factor authentication prevent OAuth phishing?

Unfortunately, OAuth phishing completely bypasses multi-factor authentication (MFA). In traditional phishing, MFA acts as a barrier even if a password is stolen, but in OAuth phishing, the victim themselves completes the legitimate authentication flow including MFA before granting access, so MFA provides no defense. Countermeasures include carefully reviewing permissions on consent screens, being suspicious of OAuth links via email, and regularly auditing connected apps.

Can I revoke OAuth permissions once granted?

Yes, you can revoke them at any time. Google can be managed from myaccount.google.com under "Security" → "Third-party apps & services," Facebook from "Apps and Websites" in settings, and X from "Connected apps" in settings. Once revoked, the app's access token is immediately invalidated and further data access is blocked. Regular auditing every 3 months is recommended.

OAuth Authorization Pitfalls - What Happens Behind "Allow Login"

About 13 min read

Every time you click "Sign in with Google" or "Continue with Facebook," you are granting an application access to your personal data - often far more than you realize. OAuth 2.0, the protocol behind these convenient login buttons, was designed to delegate limited access without sharing passwords. In practice, however, many applications request excessive permissions such as reading all your contacts or sending emails on your behalf. Worse, attackers have weaponized the legitimate OAuth consent screen itself: Proofpoint's 2024 research found that OAuth phishing attacks increased 40% year-over-year, and Microsoft reported that OAuth-based attacks accounted for 22% of enterprise compromises targeting Microsoft 365. This article dissects how the OAuth authorization flow works, where the real dangers lie, and what concrete steps you can take to protect yourself.

How OAuth 2.0 Works - The Basic Structure of Authorization Flows

To understand OAuth 2.0, you first need to clarify the difference between "authentication" and "authorization." Authentication is the process of confirming "who you are," while authorization is the process of determining "what you are allowed to do." OAuth 2.0 is an authorization protocol and does not handle authentication itself (OpenID Connect adds authentication on top). In other words, the "Sign in with Google" button is strictly a "authorize Google to access your information" button.

Authorization Code Flow - The Most Secure Standard Flow

Authorization Code Flow is the most secure flow designed for server-side applications. When a user logs in at the authorization server (Google or Facebook) and approves permissions, the authorization server returns an "authorization code" to the application. The application exchanges this authorization code for an "access token" through server-to-server communication. The critical point is that the access token is never directly exposed to the browser. The authorization code can only be used once and has a short expiration of just minutes, so even if intercepted, the risk is limited. Additionally, combining PKCE (Proof Key for Code Exchange) prevents authorization code interception attacks.

Implicit Flow - Why It Was Deprecated

Implicit Flow was originally designed for browser-based SPAs (Single Page Applications). Instead of going through an authorization code, the authorization server returns the access token directly to the browser as a URL fragment (#access_token=...). This design has a fatal flaw: there is always a risk of the access token leaking through browser history, referrer headers, or browser extensions. In the OAuth 2.1 draft specification, Implicit Flow has been officially deprecated, and Authorization Code Flow + PKCE is recommended even for SPAs. Nevertheless, some legacy applications still use Implicit Flow, making them a breeding ground for token leakage.

Behind "Allow Login" - The Reality of Excessive Permission Requests

The OAuth consent screen displays a list of permissions called "scopes." The problem is that many users click "Allow" without reading this screen. According to Google's internal research (published 2023), only 12% of users reviewed the scope details on the OAuth consent screen. The remaining 88% approved without checking the displayed permissions.

Let's look at typical examples of excessive permission requests. There are cases where a simple calendar integration app requests "read contacts," "send email," and "list Drive files." While only calendar read access is needed for the app's functionality, developers add unnecessary scopes for data collection purposes. Astrix Security's 2024 analysis found that 35% of third-party apps connected to Google Workspace requested permissions unnecessary for their actual functionality. Particularly dangerous is the "send email" permission. If an app with this permission is compromised, attackers can send phishing emails from your email address. Since recipients see it as coming from a legitimate email address, the success rate is far higher than typical phishing.

OAuth Phishing Attacks - When Legitimate Consent Screens Become Weapons

Traditional phishing creates fake login pages to steal credentials. OAuth phishing is far more sophisticated: it uses the real authorization screens of Google, Microsoft, or Facebook. The attacker registers a malicious application with a legitimate-sounding name (e.g., "Security Update Tool" or "Document Viewer Pro") and sends the victim a link to the genuine OAuth consent page. Because the URL points to accounts.google.com or login.microsoftonline.com - the actual authentication servers - even security-conscious users may not suspect anything. Once the victim clicks "Allow," the attacker receives an access token granting whatever permissions the malicious app requested. No password is stolen, no phishing page is involved, and traditional anti-phishing tools cannot detect it because the entire flow uses legitimate infrastructure.

What makes OAuth phishing particularly dangerous is that it completely bypasses multi-factor authentication (MFA). In traditional phishing, even if a password is stolen, MFA acts as a barrier. However, in OAuth phishing, the victim themselves completes the legitimate authentication flow, passes MFA, and then grants access - so MFA provides no defense whatsoever. Proofpoint's 2024 report states that the success rate of OAuth phishing is more than 3 times that of traditional phishing.

Token Leakage Risks - What Happens When Access Tokens Fall Into Third-Party Hands

An access token is a "digital spare key." Unlike passwords, anyone who possesses the token can exercise the permissions associated with it. There are multiple pathways for token leakage. In apps using Implicit Flow, tokens leak through browser history or referrer headers. In mobile apps, tokens can leak from device log files or clipboards. Cases have also been reported where third-party JavaScript libraries maliciously transmit tokens externally.

The impact of token leakage depends on the scopes granted. A token with read-only email access allows the attacker to read all your emails - potentially exposing password reset links, financial statements, and private communications. A token with Drive access lets the attacker download all your documents. A token with contact access exposes your entire network for further social engineering attacks. Unlike stolen passwords, compromised tokens cannot be mitigated by changing your password. The token remains valid until it expires or is explicitly revoked. This is why regular auditing of connected applications is critical for your digital identity protection.

Permission Audit - Connected App Management Screens You Should Check Now

Permissions granted via OAuth can be reviewed and revoked from each platform's management screen. Follow these steps to clean up unnecessary connected apps right now.

Google: myaccount.google.com → "Security" → "Third-party apps & services." Review the scopes granted to each app and remove access for unused apps or those with excessive permissions. Pay special attention to apps with "send email," "edit contacts," or "access all Drive files" permissions.
Facebook: Settings → "Apps and Websites." From the active apps list, review the permissions granted to each app. Re-evaluate whether apps with "friends list," "publish posts," or "read messages" permissions are truly necessary.
X (formerly Twitter): Settings → "Security and account access" → "Apps and sessions" → "Connected apps." Check whether each app has read-only or read-write access, and revoke unnecessary apps with write permissions.
Microsoft: account.microsoft.com → "Privacy" → "Apps and services." Review apps connected to Microsoft 365, focusing on apps that can access organizational data.

This audit should not be a one-time activity but is recommended every 3 months.OAuth security books (Amazon) are also helpful references.

Concrete Measures to Protect Yourself from OAuth Risks

With an understanding of OAuth risks, put the following measures into practice. These can all be started today, even without technical knowledge.

Read the consent screen carefully before clicking "Allow." Check what specific permissions are being requested. If a simple app asks for email sending or contact editing permissions, decline and look for alternatives. Protecting your privacy settings starts with this habit
Every 3 months, audit connected apps in the management screens above. Revoke access for unused apps, and verify that remaining apps have minimal permissions
Be suspicious of OAuth consent requests arriving via email or messaging apps. Legitimate services rarely send direct links to consent screens. If you receive one, navigate to the service directly through your browser instead of clicking the link. This is a key defense against social engineering
Use a dedicated password manager and enable two-factor authentication on all accounts. Even if an OAuth token is compromised, strong account security limits the blast radius
Consider using passkeys where available. Passkeys eliminate the password layer entirely, reducing the attack surface that OAuth phishing exploits

Frequently Asked Questions

When I log in with OAuth, does the app receive my password?: No, the greatest advantage of OAuth is that your password is never shared with the app. What the app receives is an access token - a temporary key - not your actual password. However, with an access token, the app can access your data within the scope of granted permissions, so you need to carefully evaluate which permissions to allow.
Can multi-factor authentication prevent OAuth phishing?: Unfortunately, OAuth phishing completely bypasses multi-factor authentication (MFA). In traditional phishing, MFA acts as a barrier even if a password is stolen, but in OAuth phishing, the victim themselves completes the legitimate authentication flow including MFA before granting access, so MFA provides no defense. Countermeasures include carefully reviewing permissions on consent screens, being suspicious of OAuth links via email, and regularly auditing connected apps.
Can I revoke OAuth permissions once granted?: Yes, you can revoke them at any time. Google can be managed from myaccount.google.com under "Security" → "Third-party apps & services," Facebook from "Apps and Websites" in settings, and X from "Connected apps" in settings. Once revoked, the app's access token is immediately invalidated and further data access is blocked. Regular auditing every 3 months is recommended.

Generate passwords →