How to Identify OAuth2 Vulnerabilities and Mitigate Risks

OAuth2 Case Studies based on HackerOne Public Disclosure Reports
Even though OAuth2 has been the industry-standard authorization framework since it replaced OAuth1 in 2012, its many complexities have led to potential security issues. For security engineers, it's vital to understand what OAuth2 is, how it works, and how poor implementation can lead to vulnerabilities.

In this article, we'll highlight some common attack vectors or vulnerabilities against OAuth2 by referring to HackerOne public disclosure reports with actual cases — and explain how to mitigate those.
 
What is OAuth2?
OAuth2 is a widely used framework for access delegation, which allows users to grant limited access to one application (client application) by requesting the resource of the users hosted in another application or website (resource application).

If you have some basic knowledge about OAuth2 but have never implemented OAuth2 in your application, the two diagrams below might help you to refresh the concepts of OAuth2 and the mechanism of how it works. The diagrams illustrate the workflow for two common OAuth2 grant types, authorization code grant (Figure 1) and the still-in-use but deemed insecure implicit grant (Figure 2).

OAuth2 itself is fundamentally complicated as it is designed to resolve the vital authentication part in many complex web environments (mobile app, web server, etc). Due to the complexity, many security engineers may not fully understand the power of OAuth2. As a consequence, we are observing many security issues caused by a misconfiguration or poor implementation of OAuth2. To make it worse, some exploitations against these OAuth2 misconfigurations are extremely simple and easy to launch.

 

Common OAuth2 Vulnerabilities from HackerOne’s Public Disclosure

Let’s take a look at some common attack vectors or vulnerabilities against OAuth2 by referring to HackerOne public disclosure reports. We hope the explanations of these vulnerabilities are clear by making reference to the actual exploitation disclosure. At the end of each of the following sections, you will also learn how to mitigate these vulnerabilities.

 

Vulnerability 1: Missing validation in redirect_uri leads to access token takeover

HackerOne Reports:

https://hackerone.com/reports/665651
https://hackerone.com/reports/405100

The redirect_uri parameter in the OAuth2 workflow is used by the authorization server as a location or address to deliver the access_token or auth_code by means of a browser redirect. In Figure 1, we described that the redirect_uri parameter is initialized by the client application as part of the request to the authorization server under step 2 when a web user clicks the login button. After the authorization server validates the credentials (step 6), it will send back the auth_token (or access_token for an implicit grant step 7 in Figure 2) as a parameter to the redirect_uri used in step 2.

If a malicious user could trigger the victim to send a request to the authorization server with a redirect_uri controlled by the attacker and the authorization server is NOT validating the redirect_uri, the access_token will be sent to the URI controlled by the attacker.

The case of stealing users’ OAuth tokens via redirect_uri is, unfortunately, a typical one, where the authorization server performs a poor validation on the redirect_uri and the attacker is able to bypass the validation with a malicious link they control.

 
Mitigation

Implement a robust redirect_uri validation on the authorization server by considering the following approach:

  1. Perform a match between client_id and report_uri to ensure the report_uri matches with the client_id stored in the authorization server. 
  2. Use a whitelist approach if the number of client applications is manageable.

 

Vulnerability 2: Missing state parameter validation leads to CSRF attack

HackerOne Reports:

https://hackerone.com/reports/111218
https://hackerone.com/reports/13555

In OAuth2 implementation, the state parameter (initialized under step 2) allows client applications to restore the previous state of the user. The state parameter preserves some state object set by the client in the authorization request and makes it available to the client in the response.

Here is the correct implementation of the state parameter:

  1. The client application initialized the request to the authorization server with a state parameter in the request URL (Step 2).
  2. The client application stores the state parameter value in the current session (Step 2).
  3. The authorization server sends the access_token back to the client application (Step 7 in Figure 2) together with a state parameter.
  4. Client application performs a match between the state stored in the current session and the state parameter sent back from the authorization server. If matching, the access_token will be consumed by the client application. Otherwise, it will be discarded so that it could prevent the CSRF attack.

However, since the state parameter is not required for a successful OAuth2 workflow, it is very often this parameter is omitted or ignored during OAuth2 implementation. Without validation on the state parameter, CSRF attack could be launched easily against the client application.

 

This HackerOne report is a very good example to explain how an attacker could attach their account to a different account under the client application due to the lack of the state parameter. Sometimes, even the state parameter is present in the callback request from the authorization server, but it is still possible the state parameter is not validated, leaving the application vulnerable to CSRF attack.

 

Mitigation

Ensure the state parameter is passed between requests and state validation is implemented so that an attacker could not attach their account to the victim’s account.

Vulnerability 3: Client_secret mistakenly disclosed to the public

HackerOne Report:

https://hackerone.com/reports/272824
https://hackerone.com/reports/397527

The client_secret is used by the client application to make a request to the authorization server to exchange the auth code to the access token (step 8 in Figure 1). The client_secret is a secret known only to the client application and the authorization server.

Some developers may accidentally disclose the client_secret to end users because the access_token retrieve request (step 8 in Figure 1) is mistakenly executed by some front-end JavaScript code rather than performed by the back-end channel.

In reference to this HackerOne Report about token disclosure, the client_secret is publicly exposed in the HTML page as the exchanging auth_code with access_token (Step 8 in Figure 1) process is executed by a piece of JavaScript code.

 
Mitigation

To avoid disclosing client_secret to the public, it is best for developers to understand the need of implementing OAuth2, as there are different OAuth2 options to adopt for different applications. If your client application has a back-end server, the client_secret should never be exposed to the public, as the interaction with the authorization server could be completed in a back-end channel. If your client application is a single-page web application or mobile app, you should choose a different OAuth2 type. For example, use the Authorization Code grant with PKCE instead.

 

Vulnerability 4: Pre-account takeover

HackerOne Report:

https://hackerone.com/reports/1074047

A pre-account takeover could occur when the following two conditions are met:

  1. The client application supports multiple authentication methods, using a login with a password and a third-party service (like Facebook or Google) as an OAuth authentication provider.
  2. Either the client application or the third-party service does not perform email verification during the signup process.

This HackerOne report details how a misconfigured OAuth can lead to pre-account takeover:

  1. Attacker creates an account with a victim’s email address and the attacker’s password before the victim has registered on the client application.
  2. The victim then logs in through a third-party service, like Google or Facebook.
  3. The victim performs some sensitive actions in the client application. The client application will save these actions, and it will probably use the email address as an identifier for its users in the database.
  4. Now, the attacker could log in as the victim and read the sensitive data added by the victim by using the victim’s email address and the attacker’s password created by step 1.
 
Mitigation

Perform email validation when creating a new user.

 

Vulnerability 5: OAuth2 access_token is leaked through referrer header

HackerOne Reports:

https://hackerone.com/reports/835437
https://hackerone.com/reports/787160
https://hackerone.com/reports/202781

One weak design of OAuth2 itself is that it passes the access_token in the URL for implicit grant type. Once you put sensitive data in a URI, you risk exposing this data to third-party applications. This applies to OAuth2 implementation as well.

In this HackerOne report about access_token smuggling, for example, the access_token was exposed to a third-party website controlled by the attacker after a chained redirection by taking advantage of the referrer header.

 
Mitigation

As this is a design issue of OAuth2, the easiest mitigation method would be strengthening the referrer header policy with <meta name="referrer" content="origin" />.

 

Vulnerability 6: OAuth2 login bypass due to lack of access_token validation

HackerOne Report:

https://hackerone.com/reports/245408

A lack of access_token validation by the client application makes it possible for an attacker to log in to other users' accounts without knowing their password.

Once the authorization server sends the access_token back to the client application, client applications sometimes need to bind the access_token with a user identity so that it can store it as a session. The exploitation of this vulnerability happens when an attacker binds their access_token with any user identity and then impersonates that user without logging in.

In this HackerOne report, the security researcher was able to log in as any user just by supplying the victim’s email address only because the client application did not validate whether the access_token belongs to the correct owner.

 
Mitigation

Validation should be performed on the client side to check whether the user owns the access_token.

 

Summary

The OAuth2 framework is complicated and provides many flexibilities for implementation. However, due to this flexibility, the security of OAuth2 implementation is in the hands of the developers. With that said, developers with a strong security mindset can make implementation more secure; on the contrary, developers with less security training are likely to impose some security holes during OAuth2 implementation. For any organization, it’s vital to train and educate your developers with the latest security best practices to reduce risk during OAuth2 implementation.

At Coupa, our engineers are committed to following the latest OAuth2 security best practices to make sure our OAuth2 implementation is secure.

The Power of Curiosity: How Chien-Yi Tsai Turned an Idea into a Patent at Coupa

By Nora Clark January 16, 2026
Chien-Yi Tsai’s career hasn’t followed a straight line, and that’s exactly what led him to innovation. Looking back, Chien-Yi doesn’t see a single defining moment that made him an inventor. Instead, he sees a series of questions, challenges, and moments of curiosity that gradually shaped him into the engineer he is today. His focus was never on earning a patent, but on continuous learning, solving meaningful problems, and pushing beyond what felt comfortable. “I never set out with the goal of becoming a patent inventor,” Chien-Yi shares. “I was focused on learning, solving real problems, and pushing myself beyond what felt comfortable.” That mindset ultimately led him to Coupa, and to invention. A Career Built on Curiosity Like many engineers, Chien-Yi’s early career was about building strong foundations: understanding how systems work, weighing technical tradeoffs, and learning how technology can solve real business challenges. Each role added depth such as stronger technical skills, broader systems thinking, and a growing appreciation for collaboration. When Chien-Yi joined Coupa, he entered an environment that actively encouraged curiosity. The challenges weren’t neatly packaged; they were complex, evolving, and deeply connected to real-world supply chain operations. That complexity pushed him to think bigger and approach problems more creatively. Before Coupa, Chien-Yi didn’t consider himself an “inventor.” He saw himself as a problem solver. Over time, he realized the distinction wasn’t as clear as he once thought. “I didn’t think of myself as an inventor but more of a problem solver,” he says. “Over time, I realized those two things aren’t very different.” The Spark Behind the Patent The idea that eventually became a patent began with a simple question: How can supply chains become smarter, faster, and more efficient as new delivery methods emerge? As delivery models continue to evolve, Chien-Yi became increasingly interested in how emerging transportation capabilities could be thoughtfully integrated with traditional logistics networks. That curiosity led to deeper exploration of how different modes of delivery could operate together within a single system. As Chien-Yi thought more about the increasing viability of drones, it became clear to him that they could play a meaningful role in logistics. But integrating aerial delivery with traditional ground transportation introduced an entirely new layer of complexity. What started as informal conversations and rough concepts evolved into a structured exploration of how to model routes that intelligently combine aerial and ground delivery assets, accounting for capabilities, constraints, and user preferences. The challenge wasn’t just technical; it required rethinking how multiple transportation modes could operate as one unified system. Chien-Yi credits his colleague at the time, Hafiz Hasan, as a key partner in the ideation and patenting process. “Hafiz played a major role in shaping the idea and writing the patent,” Chien-Yi notes. “I learned a tremendous amount from working with him.”

From Curiosity to Code: How Keerthi Built Her Way into Coupa AI

January 9, 2026
Innovation doesn’t always start with a job description. In some cases, it starts with curiosity. For Keerthi Raghavendra, now an Associate Product Manager on Coupa’s AI & Analytics team, that curiosity turned into a passion project, and ultimately, a career-defining opportunity.

#My1stYearatCoupa: Four Stories of Growth, Purpose, and Community

January 8, 2026
So much can happen in one year, especially in your career journey. We shine the light on four Coupanians across the globe who hit their one-year milestone. In the process, they share stories of learning, impact, and the values that unite #AllOfUs. From Bogotá to Pune to the U.S., this foursome reflects on their first year at Coupa and what it means to Shape What’s Next together. Testament to our culture, this journey sparked something unexpected. Two Bogota teammates—Lucas and José—started at Coupa as colleagues and ended their first year as close friends. Their story is a reminder that when we Build Tomorrow Together, relationships are often the greatest win. Let’s meet Lucas, Maddy, José, and Mehnaz and hear what their first year at Coupa has meant to them.

AI Use at Coupa in TA

By Chris Bartolo January 6, 2026
AI Helps. People Hire. How Coupa Keeps Recruiting Human. At Coupa, transformation is part of who we are. Whether it’s using our platform to help businesses run smarter or how people build meaningful careers with us, integrity is at our core. We also understand that the job search can feel both exciting and overwhelming. Generative AI (GenAI) has emerged as a helpful tool in the job hunt, but we want candidates to know one thing clearly: every hiring decision at Coupa is made by real people. AI can support your journey. It will never replace real connection, context, or the value of your lived experience. It’s great if AI tools help you feel more prepared. What matters most is you and what you uniquely bring to an opportunity. Here are a few simple guidelines to help you understand our position on the ethical use of AI throughout your application process. Tips for Using AI in Your Application Journey Use AI as a starting point, not the final version. AI can help brainstorm résumé or cover-letter ideas, but your application should reflect your true experience and voice which is what we care about. Lean into what makes you stand apart. AI can refine words, but only you can share the real story behind your work, impact, and growth. Prep with AI, but don’t script interviews. AI-generated mock questions can help you practice, but we want your thinking, not rehearsed answers. Stay truthful. Using AI to organize your ideas is great. Using it to stretch or fabricate experience isn’t. Show us your authentic self. 

Building Tomorrow Together: A Year in Review for Talent Acquisition at Coupa

By Len Abbazia January 6, 2026
Talent isn’t something we simply acquire but it’s more about the humanity of each current and future Coupanian to help people grow, feel supported and recognized for their efforts. Over the past year, our Talent Acquisition team has stayed focused on one core belief: when people come first, innovation, impact, and growth follow. This year was shaped by transparency, storytelling, and a renewed commitment to building a hiring experience that reflects who we truly are. Here’s a look at the moments that mattered most and how they helped us shape what’s next. Humanizing the Hiring Experience One of our biggest priorities this year was pulling back the curtain on the real Coupa hiring journey. Through our Shaping What’s Next series , we shared authentic, behind-the-scenes perspectives—from first outreach to first day on the job. Rather than focusing on the process alone, we focused on people. We highlighted: New Coupanians taking their leap Recruiters building genuine relationships Hiring managers seeking curiosity, impact, and values alignment By showing how Coupa’s Core Values come to life at every stage, we strengthened trust with candidates and reinforced transparency as a true differentiator. Talent Brand Shaped by Real People Our talent brand -- Help Shape What’s Next – came alive through the voices of the Coupa Village. This year, we amplified employee stories across regions, roles, and career stages, from campus hires to senior leaders. Through people spotlights and regional storytelling, we showcased what growth, belonging, and purpose look like in practice. These highlighted real career journeys. And that authenticity resonated deeply with both employees and future talent. Innovation, Told Through the People Building It Innovation is core to Coupa, and this year, we made a deliberate shift to tell innovation stories through the people behind the work. From engineering breakthroughs to platform evolution, we spotlighted the builders and problem-solvers shaping what’s next. Stories like Stella Lee’s journey highlighted not just technical excellence, but collaboration, leadership growth, and trust. This was reinforced through Salvatore Lombardo’s Architecting What’s Next with AI perspective , which framed AI not as a replacement for people, but as a powerful force that amplifies human capability. His vision underscored how Coupa is responsibly architecting agentic AI, grounded in real customer needs, trusted data, and human judgment.

Built on People: Coupa Named a 2026 Built In Best Place to Work

By Melissa Lam January 5, 2026
In an AI-driven job market, metrics often lead the conversation. At Coupa, we believe the most meaningful story lives beyond the data, in the people building, collaborating, and growing together every day. That’s why being named a 2026 Built In Best Place to Work in both Chicago and Boston is especially meaningful recognition as companies shape the future of work. Built In’s data-driven evaluation, based on compensation, benefits, and culture programs, signals to candidates that Coupa invests meaningfully in its people. To bring this recognition to life, we’re spotlighting two Coupanians, one in Chicago and another in Boston whose career journeys reflect what it truly means to grow, belong, and make an impact at Coupa.

Going the Extra Mile: Meet Coupa India’s Q3 2025 Award Winners

December 18, 2025
At Coupa, our people make the difference. From optimizing complex systems to driving new ideas that power global innovation, we believe in celebrating those who step up, lean in, and go beyond what’s expected. To recognize those exceptional efforts, the Coupa India Leadership Team introduced the Extra Mile Award, a quarterly honor that highlights individuals who demonstrate ownership, creativity, and impact. These are the Coupanians who set new standards for excellence and inspire others to do the same. This quarter, we’re proud to recognize three exceptional engineers—Gyanendra Ojha, Pritesh Mantri, and Akshay Sable—whose technical brilliance and collaborative spirit are helping us build smarter, more resilient systems to shape the future of spend management.

The Smart Intake & Orchestration Journey: People, Purpose, and Product

December 16, 2025
In the world of engineering here at Coupa, I’m reminded of one of our core beliefs: powerful systems should still feel simple. Yet as organizations grow, even everyday tasks such as requesting equipment, submitting a purchase, or finding the right workflow can become more complex than they should. Tracking back to early 2024, our team asked a simple question with big implications: What if we could make the user experience for these requests effortless? What started as one little idea has grown into Smart Intake & Orchestration (SIO), a reimagined way for people to navigate requests across the Coupa platform. How It All Began Coupa has been scaling fast. With more capabilities and more global customers, complexity naturally grows too. We realized that incremental fixes weren’t going to be enough. We needed to transform the entire end-to-end journey. Our goal was clear: Make every request simple, intuitive, and human, regardless of the user or the workflow behind it. Building Something New Together I joined the project early and quickly saw its potential impact. It became one of the most collaborative efforts of my career with Product, UX, engineering, and cross-functional partners all coming together with a shared purpose. We created a flexible, scalable experience framework that supports users today and grows with them for tomorrow. This wasn’t just innovation to gain business efficiency. It was innovation rooted in empathy for our customers using our platform every day. Facing Challenges and Growing from Them With any ambitious initiative, there were moments where decisions had to be made with limited precedent. We made decisions with limited precedent, tight timelines, and alignment across many teams. Some key challenges included: Balancing speed with thoughtful execution Experimenting while staying grounded Ensuring teams worldwide rallied around a shared vision Prioritizing customer needs with long-term strategy in mind These challenges made us better and reminded us to bring people in early, test ideas quickly, and keep the user experience at the heart of everything. Launching, Learning, and Iterating We officially introduced Smart Intake & Orchestration at our Coupa Inspire customer event in May 2025. Since then, we’ve partnered closely with customers to refine, evolve, and expand the capabilities. Today, many Coupa customers are already using SIO, with more on the horizon. Here is a demo and overview of SIO for those interested in learning more. It’s just the beginning and the momentum is exciting.

Shaping What’s Next at Coupa: Inside the End-to-End Hiring Journey

December 3, 2025
Ever wonder what really happens behind the scenes of a Coupa hire? In Episode 4 of our Shaping What’s Next series, we're pulling back the curtain on the full hiring experience, from initial first outreach to first day on the job. In this episode, we give you three perspectives in the process: first a recently hired Coupanian, the recruiter who discovered her, and the hiring manager who made the final call. Together, they share the process from each of their vantage points. You’ll hear how curiosity, collaboration, and Coupa’s Core Values show up in every step, from a warm first conversation to that moment when it just “clicks.” If you’ve ever thought about joining Coupa, or if you're just curious how we approach finding and growing great talent, take a peek at this inside look. Watch Episode 4: The End-to-End Hiring Journey and see how we’re shaping what’s next, one hire at a time.

Passion Meets Purpose: A Leadership Visit that Energized Coupa India

November 25, 2025
Recently, Coupa India welcomed Chief Human Resources Officer Susan Tohyama and Chief Product & Technology Officer Salvatore (“Salva”) Lombardo for an unforgettable week of connection, collaboration, and culture in full force. They engaged with teams across offices including over 120 employees who have joined Coupa in the Product and Technology organization. From lively Town Halls in Pune and Hyderabad, to innovation workshops and high-energy demo sessions, the visit celebrated what makes Coupa India a vital part of our global success story: a shared drive to innovate, build, and shape what’s next — together.
More Posts