Slack: State parameter missing on google OAuth

2014-03-02T07:24:30
ID H1:2688
Type hackerone
Reporter appsecure_in
Modified 2014-04-06T19:40:03

Description

Hi,

State parameter i.e anti-csrf token to prevent session hijacking attacks is missing on Google OAuth

i.e. https://accounts.google.com/o/oauth2/auth?response_type=code&redirect_uri=https%3A%2F%2Fslack.com%2Fservices%2Fauth%2Fgdrive&client_id=19570130570-tfuuvh6hutjd09bq64is5sao643q67jg.apps.googleusercontent.com&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive&access_type=offline&approval_prompt=force&state=sehacure

As we can see in above URL there is no state parameter to maintain session identity.

Best regards, Anand