How to Identify OAuth2 Vulnerabilities and Mitigate Risks

OAuth2 Case Studies based on HackerOne Public Disclosure Reports
Even though OAuth2 has been the industry-standard authorization framework since it replaced OAuth1 in 2012, its many complexities have led to potential security issues. For security engineers, it's vital to understand what OAuth2 is, how it works, and how poor implementation can lead to vulnerabilities.

In this article, we'll highlight some common attack vectors or vulnerabilities against OAuth2 by referring to HackerOne public disclosure reports with actual cases — and explain how to mitigate those.
 
What is OAuth2?
OAuth2 is a widely used framework for access delegation, which allows users to grant limited access to one application (client application) by requesting the resource of the users hosted in another application or website (resource application).

If you have some basic knowledge about OAuth2 but have never implemented OAuth2 in your application, the two diagrams below might help you to refresh the concepts of OAuth2 and the mechanism of how it works. The diagrams illustrate the workflow for two common OAuth2 grant types, authorization code grant (Figure 1) and the still-in-use but deemed insecure implicit grant (Figure 2).

OAuth2 itself is fundamentally complicated as it is designed to resolve the vital authentication part in many complex web environments (mobile app, web server, etc). Due to the complexity, many security engineers may not fully understand the power of OAuth2. As a consequence, we are observing many security issues caused by a misconfiguration or poor implementation of OAuth2. To make it worse, some exploitations against these OAuth2 misconfigurations are extremely simple and easy to launch.

 

Common OAuth2 Vulnerabilities from HackerOne’s Public Disclosure

Let’s take a look at some common attack vectors or vulnerabilities against OAuth2 by referring to HackerOne public disclosure reports. We hope the explanations of these vulnerabilities are clear by making reference to the actual exploitation disclosure. At the end of each of the following sections, you will also learn how to mitigate these vulnerabilities.

 

Vulnerability 1: Missing validation in redirect_uri leads to access token takeover

HackerOne Reports:

https://hackerone.com/reports/665651
https://hackerone.com/reports/405100

The redirect_uri parameter in the OAuth2 workflow is used by the authorization server as a location or address to deliver the access_token or auth_code by means of a browser redirect. In Figure 1, we described that the redirect_uri parameter is initialized by the client application as part of the request to the authorization server under step 2 when a web user clicks the login button. After the authorization server validates the credentials (step 6), it will send back the auth_token (or access_token for an implicit grant step 7 in Figure 2) as a parameter to the redirect_uri used in step 2.

If a malicious user could trigger the victim to send a request to the authorization server with a redirect_uri controlled by the attacker and the authorization server is NOT validating the redirect_uri, the access_token will be sent to the URI controlled by the attacker.

The case of stealing users’ OAuth tokens via redirect_uri is, unfortunately, a typical one, where the authorization server performs a poor validation on the redirect_uri and the attacker is able to bypass the validation with a malicious link they control.

 
Mitigation

Implement a robust redirect_uri validation on the authorization server by considering the following approach:

  1. Perform a match between client_id and report_uri to ensure the report_uri matches with the client_id stored in the authorization server. 
  2. Use a whitelist approach if the number of client applications is manageable.

 

Vulnerability 2: Missing state parameter validation leads to CSRF attack

HackerOne Reports:

https://hackerone.com/reports/111218
https://hackerone.com/reports/13555

In OAuth2 implementation, the state parameter (initialized under step 2) allows client applications to restore the previous state of the user. The state parameter preserves some state object set by the client in the authorization request and makes it available to the client in the response.

Here is the correct implementation of the state parameter:

  1. The client application initialized the request to the authorization server with a state parameter in the request URL (Step 2).
  2. The client application stores the state parameter value in the current session (Step 2).
  3. The authorization server sends the access_token back to the client application (Step 7 in Figure 2) together with a state parameter.
  4. Client application performs a match between the state stored in the current session and the state parameter sent back from the authorization server. If matching, the access_token will be consumed by the client application. Otherwise, it will be discarded so that it could prevent the CSRF attack.

However, since the state parameter is not required for a successful OAuth2 workflow, it is very often this parameter is omitted or ignored during OAuth2 implementation. Without validation on the state parameter, CSRF attack could be launched easily against the client application.

 

This HackerOne report is a very good example to explain how an attacker could attach their account to a different account under the client application due to the lack of the state parameter. Sometimes, even the state parameter is present in the callback request from the authorization server, but it is still possible the state parameter is not validated, leaving the application vulnerable to CSRF attack.

 

Mitigation

Ensure the state parameter is passed between requests and state validation is implemented so that an attacker could not attach their account to the victim’s account.

Vulnerability 3: Client_secret mistakenly disclosed to the public

HackerOne Report:

https://hackerone.com/reports/272824
https://hackerone.com/reports/397527

The client_secret is used by the client application to make a request to the authorization server to exchange the auth code to the access token (step 8 in Figure 1). The client_secret is a secret known only to the client application and the authorization server.

Some developers may accidentally disclose the client_secret to end users because the access_token retrieve request (step 8 in Figure 1) is mistakenly executed by some front-end JavaScript code rather than performed by the back-end channel.

In reference to this HackerOne Report about token disclosure, the client_secret is publicly exposed in the HTML page as the exchanging auth_code with access_token (Step 8 in Figure 1) process is executed by a piece of JavaScript code.

 
Mitigation

To avoid disclosing client_secret to the public, it is best for developers to understand the need of implementing OAuth2, as there are different OAuth2 options to adopt for different applications. If your client application has a back-end server, the client_secret should never be exposed to the public, as the interaction with the authorization server could be completed in a back-end channel. If your client application is a single-page web application or mobile app, you should choose a different OAuth2 type. For example, use the Authorization Code grant with PKCE instead.

 

Vulnerability 4: Pre-account takeover

HackerOne Report:

https://hackerone.com/reports/1074047

A pre-account takeover could occur when the following two conditions are met:

  1. The client application supports multiple authentication methods, using a login with a password and a third-party service (like Facebook or Google) as an OAuth authentication provider.
  2. Either the client application or the third-party service does not perform email verification during the signup process.

This HackerOne report details how a misconfigured OAuth can lead to pre-account takeover:

  1. Attacker creates an account with a victim’s email address and the attacker’s password before the victim has registered on the client application.
  2. The victim then logs in through a third-party service, like Google or Facebook.
  3. The victim performs some sensitive actions in the client application. The client application will save these actions, and it will probably use the email address as an identifier for its users in the database.
  4. Now, the attacker could log in as the victim and read the sensitive data added by the victim by using the victim’s email address and the attacker’s password created by step 1.
 
Mitigation

Perform email validation when creating a new user.

 

Vulnerability 5: OAuth2 access_token is leaked through referrer header

HackerOne Reports:

https://hackerone.com/reports/835437
https://hackerone.com/reports/787160
https://hackerone.com/reports/202781

One weak design of OAuth2 itself is that it passes the access_token in the URL for implicit grant type. Once you put sensitive data in a URI, you risk exposing this data to third-party applications. This applies to OAuth2 implementation as well.

In this HackerOne report about access_token smuggling, for example, the access_token was exposed to a third-party website controlled by the attacker after a chained redirection by taking advantage of the referrer header.

 
Mitigation

As this is a design issue of OAuth2, the easiest mitigation method would be strengthening the referrer header policy with <meta name="referrer" content="origin" />.

 

Vulnerability 6: OAuth2 login bypass due to lack of access_token validation

HackerOne Report:

https://hackerone.com/reports/245408

A lack of access_token validation by the client application makes it possible for an attacker to log in to other users' accounts without knowing their password.

Once the authorization server sends the access_token back to the client application, client applications sometimes need to bind the access_token with a user identity so that it can store it as a session. The exploitation of this vulnerability happens when an attacker binds their access_token with any user identity and then impersonates that user without logging in.

In this HackerOne report, the security researcher was able to log in as any user just by supplying the victim’s email address only because the client application did not validate whether the access_token belongs to the correct owner.

 
Mitigation

Validation should be performed on the client side to check whether the user owns the access_token.

 

Summary

The OAuth2 framework is complicated and provides many flexibilities for implementation. However, due to this flexibility, the security of OAuth2 implementation is in the hands of the developers. With that said, developers with a strong security mindset can make implementation more secure; on the contrary, developers with less security training are likely to impose some security holes during OAuth2 implementation. For any organization, it’s vital to train and educate your developers with the latest security best practices to reduce risk during OAuth2 implementation.

At Coupa, our engineers are committed to following the latest OAuth2 security best practices to make sure our OAuth2 implementation is secure.


June 24, 2025
Every company needs a set of guiding principles that shape a company's culture, behavior, and decision-making. At Coupa, we call these our core values, which are driven in part by our seven Employee Resource Groups (ERGs) and people in the Coupa Village. ABLE stands for Achieve Beyond Limitations and Expectations. This ERG’s mission is to foster an environment where everyone feels valued, supported, and empowered to thrive regardless of ability. We do this through advocacy, education, and collaboration to promote awareness, break down barriers, and celebrate the unique strengths and perspectives of people with disabilities and their allies. Recently, we held a presentation on ADHD + Success in the Workplace that was well attended and sparked great conversations and feedback. For me, it was truly an inspiring and touching moment. We covered an array of topics that included: Understanding ADHD in the workplace Simple tips for success Communication and collaboration best practices Asking for support ADHD Superpowers My fellow Coupanians and ABLE members, Nora B. Clark, Recruitment Marketing Specialist at Coupa, and Ashwini Manerikar, Lead Software Engineer, presented alongside me, sharing examples from their current and previous work experiences, helping to bring to life one of our key values — Cultivate Belonging — for our participants. Nora had this to share: “I’ve often been told I’m ‘too out-of-the-box’, quirky when it comes to many of the ideas I’ve shared in my career. While it can be frustrating to hear, my unique style has ultimately helped carve out my career success. Bringing your authentic self to work is still very much a privilege in today's society, so being able to share my experiences and journey with those who are still trying to figure out who they are and what they want in their personal and work life is really important to me. I continue to learn every day, and I’m so proud that ABLE continues to inspire through presentations like this, and I look forward to more in the future.” Ashwini had this to add to her experience. “I used to feel like my mind was constantly full of ideas, and I wasn't sure how to channel that energy. Having inattentive ADHD, I often found myself drifting between thoughts, struggling with a hard-to-explain inconsistency in motivation. It brought real challenges: self-doubt, difficulty focusing, and a constant sense of being everywhere. But over time, I began to recognize the strengths within the chaos — an intuitive way of thinking, the ability to spot patterns and connect the dots quickly, and a creative mindset to thrive outside the box. Learning to work with my brain instead of against it has been empowering. With awareness and understanding of my ADHD, I’ve been able to lean into those strengths and explore ways to manage the challenges in a way that works for me. What helped most was hearing from others with similar experiences, beyond the clinical lens. I’m grateful for initiatives like these from Coupa ABLE and hope they encourage others to embrace their unique wiring to feel supported.” As Coupa employees, we benefit from inclusive best practices, and Coupa ABLE helps connect and empower others to drive success in many ways. ERGs like ABLE provide resources, presentations, and events that continue to help our culture thrive and drive our innovation and global impact. We also help Coupa Villagers with ADHD to understand how ADHD can be a superpower due to the creativity, curiosity, and out-of-the-box thinking that comes along with ADHD. Through this event, we aimed to help Coupa Villagers and their supporting managers learn tips to be more successful, but we found an entire community with whom this message deeply resonated. After the event, I heard from Villagers across the organization who shared how happy they were to know they are not alone. We have a community of neurodivergent Villagers here at Coupa, and Coupa ABLE is here to support #AllOfUs! Check out some of the tips we shared during our presentation, as well as other helpful resources How to help with time management and organization Use project management tools that include visual and audible reminders Prioritize and organize a brain dump session How to create a supportive work environment Investigate noise-cancelling headphones Show compassion Research fidget tools Propose walking meetings if it's suitable How to help create effective communication strategies Practice active listening and communicating clearly Don’t judge when being asked for clarification Leverage strengths Resources: CHADD Succeeding in the Workplace Understood.org ADDitudemag.com NeurodiversityHub.org ADHDfoundation.org TextHelp.com Creativity in ADHD: Goal-Directed Motivation and Domain Specificity
April 25, 2025
Nine years ago, I arrived in Ireland with two suitcases, shaky English, and a dream to build a brighter future. Today, as Senior Operations Manager of Coupa’s Global Education Services & Enablement Team, I’ve learned that owning your path and lifting others leads to success. Future Coupa interns, this blog is for you - to show how resilience and teamwork can shape an incredible career. I’ll share my journey from Technical Support Engineer to leadership, the lessons that drive me, and why Coupa’s values make it a place where you can grow and belong. Chasing Dreams with Grit In Brazil, I dreamed of football, then banking, but financial hardships forced me to pivot. At 16, I worked as a messenger, studied nights, and walked 10km to afford college. In 2016, my wife and I moved to Ireland, where we knew no one and barely spoke English. Job rejections piled up due to my language skills and visa issues, but I owned my results, studying relentlessly and applying for roles. Seven months in, with savings gone, Coupa offered me a Technical Support Engineer role in 2017 - just as we prepared to leave. That moment showed me that when you keep pushing, you build tomorrow together with those who believe in you. My advice: Interns, your challenges are opportunities - own them boldly.
March 17, 2025
As a Senior Product Manager, I’m fortunate to be at the crossroads of technology, leadership, and strategy. My focus is on harnessing the power of AI-driven solutions to transform business spend management. This journey is about more than just implementing cutting-edge technology — it’s about creating meaningful solutions that make a real difference for businesses and their people. Throughout my career, I’ve discovered that the key to true innovation is a deep understanding of business needs and user experiences. AI is revolutionizing business spend management, and its potential is immense — not just in its technology but in how it’s strategically applied with leadership, collaboration, and real-world impact. AI: A Game Changer for Business Spend Management AI has the ability to revolutionize how businesses approach financial management. It goes beyond automating repetitive tasks — it empowers organizations to make smarter, more data-driven decisions that align with their strategic goals. By analyzing vast amounts of data in real-time, AI uncovers valuable spending patterns, predicts future trends, and provides actionable insights that can shape success. What excites me most is that AI doesn’t just help businesses save money — it enables them to strategically invest their resources for greater impact. AI creates opportunities for businesses to allocate spend with purpose, whether for innovation, optimization, or securing a brighter future. This transformation is what fuels my passion — helping organizations become more efficient and focused on long-term success. Bridging Engineering and Business Management In my role, I have the privilege of bridging the technical brilliance of engineering with the strategic vision of business management. I work closely with engineering teams to transform complex technical concepts into intuitive, user-friendly solutions that solve real-world business challenges. This collaboration requires a deep understanding of both technology and user needs, and I take pride in making that connection seamless. Equally important is working alongside business leaders to ensure our AI solutions are perfectly aligned with the organization’s overarching goals. The challenge is to blend technical excellence with business relevance, and I’m driven by the rewarding task of turning ideas into solutions that deliver measurable results. Leadership with Empathy: Fostering Innovation I truly believe that technology alone is only part of the equation — leadership is what drives true, sustainable innovation. I lead with empathy, fostering an environment where collaboration thrives, and every team member feels heard, valued, and empowered. Compassionate leadership isn’t just about managing — it’s about inspiring teams to bring their best ideas forward and trust in a shared vision. By creating a culture of open communication, I’m able to draw out the best in every team member. Encouraging collaboration and creativity allows us to innovate together and deliver solutions that exceed expectations. This approach doesn’t just lead to successful products — it creates a vibrant atmosphere where everyone feels motivated and empowered to contribute. Looking Ahead: The Future of AI in Business Spend Management The future of AI in business spend management is filled with immense promise. As AI continues to evolve, so will its ability to predict trends, automate processes, and provide deeper, more insightful data. The real opportunity lies in applying AI in ways that support the broader objectives of the organization. Our mission is powerful: to develop AI solutions that are not just cutting-edge but deeply user-centric, driving transformative business outcomes and fueling long-term growth. The future of business spend management is about pushing the boundaries of technology while staying deeply connected to the human needs behind it. Conclusion AI is transforming the landscape of business spend management in exciting and positive ways, and I’m thrilled to be part of this transformation. Through purposeful product management, compassionate leadership, and a strong commitment to collaboration, I’m dedicated to developing AI-driven solutions that not only increase efficiency but also empower organizations to make smarter, more strategic decisions. Looking ahead, I’m filled with excitement and optimism, knowing that the work we’re doing today is setting the stage for lasting change tomorrow. It’s a mission that motivates me each and every day — to help organizations unlock the full potential of AI to drive success, innovation, and sustainable growth.
March 6, 2025
Coupa recently refreshed its core values to reflect the new chapter of Coupa, which includes its branding, vision, mission, and new leadership team. Two learning consultants with Coupa for nearly four years shed some light on what these refreshed values mean to them. Matt Daack, Sr. Manager of Learning & Development, is based out of Missouri and is a member of our veterans employee resource group, Encourage. Before Coupa, he spent 25 years in the Air Force as a pilot and organizational leader. Kristi Gay, Sr. Manager of Education & Training, is a member of Empower, Coupa’s women’s employee resource group and is based out of Wisconsin. Before Coupa she spent 20 years as an engineering manager and programmer at a scale manufacturing company.
By Nora Clark February 13, 2025
There are many great benefits to working at Coupa, and one that truly makes a difference is our robust Volunteer Time Off. While many companies and organizations encourage employees to take time off to volunteer, offering at least 8 hours a year, Coupa provides a generous 40 hours - a whole week. This extended time allows our employees to make a significant impact in their communities, and many Coupanians across the globe are proud of the difference they are making. Here’s why they love this robust benefit and how they give back:
January 30, 2025
In the world of product development, success isn’t the result of one hero’s solo mission. It’s about assembling a team of specialists—each with unique superpowers—who unite to tackle challenges, defend against bugs, and deliver experiences that delight users. Think of it as forming your very own Avengers™ team, where Product Management (PM), Development, Quality Engineering (QE), and User Experience ........(UX) team up to save the day
By Audree Hall December 20, 2024
What an incredible week we had! Thanks to the passion and dedication of our amazing Coupa family, we celebrated Global Impact Week like never before! With 13 countries participating and 38 local-led events, we exceeded last year’s participation with over 500 employees stepping up to make a positive change. We truly could not have done this without each and every one of you—thank you! Here are some of the highlights that made this week so special:
November 14, 2024
Q & A from our Sales Team
November 1, 2024
Most people at Coupa say they love this company because of the great culture and joy of working with “The Village,” a term referring to our global workforce. This year, we are double-clicking on what behaviors make that culture thrive by creating nine “Leadership Competencies,” or ways we want to interact with each other regardless of your title, background, team, or length of time at Coupa.
September 19, 2024
I am Maggie Mae Joy, Senior Director of Product Management, supporting our Source-to-Contract and Spend Analysis product teams. I’ve been at Coupa since August 2013, based in Port Saint Lucie, Florida. I started my career out of college as a consultant supporting the SAP implementation of a global automotive warranty system for one of the big three. Leveraging that consulting experience, I joined Coupa as a Solution Architect, supporting our customers and partners in implementing the Coupa platform before transitioning into a Product Management role. What I enjoy most about working at Coupa is the opportunity to use my time here as a professional and personal growth platform. Coming to Coupa with a background in systems implementation allowed me to hit the ground running in my first position as a Solution Architect. Those skills and a deep passion for improving the user experience helped me take my career in a different direction and join the product team. Through Coupa’s incredibly supportive culture, I found mentors & leadership training that enabled my development in product management. As I’ve transitioned between supporting different product areas over the past eight years, I’ve continued to be challenged to expand my knowledge, learn new skills, and connect with more of the Coupa community.
More Posts