The security of OAuth2 providers has increased tremendously over the past several years, however some common (and uncommon) pitfalls still remain. This presentation will, as part of our red track, showcase a collection of vulnerabilities, including account takeovers with no interaction needed, cross-site request forgery vulnerabilities allowing account control, authorization issues with high or critical impact, and other miscellaneous bugs in some of the world's largest companies. All of the examples are fixed, and will have a root cause analysis, proof-of-concept steps, how companies like Facebook, Microsoft and Paypal approached fixing these issues, and how you can avoid these bugs as either the provider or a client.
Josip Franjković is a freelance security researcher and a "bug bounty hunter". Throughout his career he has reported over 200 verified vulnerabilities to companies like Facebook, Google, Microsoft, PayPal, Yahoo and others, with a main focus on authentication and authorization vulnerabilities.
Josip is a Diamond league HackerPlus member on Facebook, and tops their whitehat list in the '17-'19 period. He has also participated in live hacking events around the world for PayPal, Yahoo and Facebook, where he was asked to find vulnerabilities in yet to be released software and hardware, winning one of them and placing among the top three participants multiple times.