Cross-Origin Opener Policy (COOP) vulnerability in the OAuth 2.0 authentication flow

[khushboovashi]

The OAuth authentication flow is initiated in the same browser window/tab.
There are no protections in place to prevent the login page from being controlled by a malicious parent window (e.g., via window.location.replace()).
This flaw enables an attacker to manipulate the OAuth handshake by opening a login page inside a controlled environment and redirecting the flow to their own OAuth client. As a result, the victim unknowingly grants access to their authentication provider account, which can then be used to compromise their account.

Clarification on Vulnerability Classification

This vulnerability arises from a technical misconfiguration—specifically, the missing Cross-Origin Opener Policy (COOP) —that allows access token theft and subsequent email access.

This is a chained attack resulting from technical misconfigurations.

The absence of COOP allows a malicious window to control the login flow.
This control permits interception of OAuth tokens, including those with mail scope.
The attacker reads the victim’s emails, including password reset messages.
This enables complete account takeover via password reset.
Attack Scenario:

A malicious parent window opens the OAuth login page.
The parent window monitors navigation changes in the victim’s window (e.g., detecting "Sign in with Google").
The parent window intercepts and redirects the OAuth flow to a malicious endpoint, tricking the victim into authorizing the attacker's OAuth client.
Once an attacker obtains an access token with mail scope, they can read sensitive emails and use the information for further exploitation.
This attack leverages a standard login flow without requiring any deceptive tactics or UI manipulation.

Impact

This vulnerability allows an attacker to manipulate the OAuth flow and gain unauthorized access to user accounts. The consequences include:

Account Takeover: Complete control over the victim’s account.
Data Breach: Access to sensitive user data, including emails and linked services.
Privilege Escalation: Reading private messages by leveraging mail scope permissions.
Financial & Reputational Risks**: Unauthorized access may result in significant damages.

[yogeshmahajan-1903]

This is working fine.