Universal Cross-app Attacks: Exploiting and Securing OAuth 2.0 in Integration Platforms
Kaixuan Luo
34th USENIX Security Symposium (USENIX Security '25) · Day 2 · Web and Mobile Security
This talk, presented by Kaixuan Luo, a PhD candidate at the Chinese University of Hong Kong, delves into a critical security vulnerability within the rapidly expanding ecosystem of **integration platforms**. These platforms, ranging from virtual voice assistants like Alexa and Google Assistant to smart home hubs and modern large language model (LLM) platforms with plugin support (e.g., ChatGPT plugins), are designed to connect and aggregate functionalities of diverse internet applications and IoT devices. The core mechanism enabling this interconnectedness is **account linking**, predominantly powered by the **OAuth 2.0 protocol**. Luo and his team uncover pervasive design flaws in how these platforms implement OAuth 2.0, leading to novel "cross-app" attack vectors.
AI review
Solid original research that systematically maps a real, underexplored attack surface — OAuth 2.0 misimplementation in the inverted-client architecture of integration platforms — and produces a concrete, reproducible finding (CVSS 9.6 CVE in Microsoft Power Automate) at scale across 16 of 18 major platforms. The theoretical framing connecting these to mix-up attacks is intellectually honest, and the explanation of why existing defenses (PKCE, issuer-based) fail in this specific ecosystem is technically precise rather than hand-wavy. Drops just short of five stars because the proposed fix…