The Back Door Attackers Know About — and Most Security Teams Still Haven’t Closed
The Back Door Attackers Know About — and Most Security Teams Still Haven’t Closed
https://thehackernews.com/2026/05/the-back-door-attackers-know-about-and.html
Publish Date: 2026-05-05 07:58:00
Source Domain: thehackernews.com
Every AI tool, workflow automation, and productivity app your employees connected to Google or Microsoft this year left something behind: a persistent OAuth token with no expiration date, no automatic cleanup, and in most organizations, no one watching it. Your perimeter controls don’t see it. Your MFA doesn’t stop it. And when an attacker gets hold of one, they don’t need a password.
OAuth grants don’t expire when employees leave. They don’t reset when passwords change. And in most organizations, nobody is watching them.
The model made sense when a handful of IT-approved apps needed calendar access. It doesn’t hold up when every employee is independently wiring AI tools, workflow automations, and productivity apps directly into their Google or Microsoft environment — each one receiving a persistent, scoped token with no automatic expiration and no centralized visibility.
That’s not a misconfiguration. It’s how OAuth is designed to work. The gap is that most security programs weren’t built to account for it at scale.
CISOs know it’s a problem. Most aren’t solving it.
New research from Material Security quantifies the gap between awareness and action. 80% of security leaders consider unmanaged OAuth grants a critical or significant risk. Most have said as much for years.
But awareness doesn’t translate directly into capability. A substantial portion of organizations (45%) are doing nothing to monitor OAuth grants at scale. Many of the rest (33%) are running manual processes — tracking grants in spreadsheets, reviewing permissions on an ad hoc basis, relying on employees to flag unusual app behavior.
Spreadsheets are not a threat response capability. They’re a record of how much exposure an organization doesn’t know it has.
It’s not theoreticalrisk
The argument for OAuth visibility often gets framed as employees piping sensitive information into third-party tools without IT visibility. That’s a real problem, but it’s the smaller one. The more pressing…
