Code Substitution (OAuth Login)

An attacker could attempt to log into an application or web site using a victim's identity. Applications relying on identity data provided by an OAuth protected service API to login users are vulnerable to this threat. This pattern can be found in so-called 'social login' scenarios.

OAuth 2.0 Threat Model and Security Considerations (RFC6819, section


This threat is considered fully mitigated if all the test cases from the following test set succeed.

Back to the threat overview