Salt Labs researchers identified generative AI ecosystems as a new interesting attack vector. vulnerabilities found during this research on ChatGPT ecosystem could have granted access to accounts of users, including GitHub repositories, including 0-click attacks.
Bruh wut, rookie mistake.
State is supposed to be mathematically random and should expire fairly quickly.
I always have used a random guid that expires after 10-15 minutes for state, if they try and complete the oauth with an expired state value I reject ad ask them to try again.
Also yeah the redirect uri trick is common, that’s why oath apis must always have a “whitelist urls” functionality. And not just domain, the whole url.
That’s why when you make a Google api token you gotta specify what urls it’s valid for explicitly. That way any other different redirect uri gets rejected, to prevent an injection attack from a third party providing their own different redirect uri to a victim.
Oath is pretty explicit about all these things in its spec. It really sucks people treat it as optional “not important” factors.
It’s important. Do it. Always.