OAuth marketplace apps keep access after publishers vanish

The Hidden Supply Chain: Why Your “Approved” Marketplace Apps Are a Security Black Hole

We live in an era of “plug-and-play” productivity. Need to automate a spreadsheet? Add a Gmail plugin. Looking to streamline your GitHub workflow? There’s an app for that. But beneath the convenience of the Google Workspace and GitHub marketplaces lies a sprawling, invisible attack surface that most organizations are ignoring.

A recent audit by the security researchers at Offroad revealed a staggering reality: nearly a third of all marketplace apps—representing over 1.8 billion potential installs—carry structural risk signals. These aren’t just minor bugs; these are over-privileged gateways into your most sensitive business data.

Pro Tip: Don’t mistake a marketplace listing for a security seal of approval. Platforms conduct point-in-time checks, but they rarely monitor for “permission drift” or abandoned developer domains after an app goes live.

The “Over-Privilege” Epidemic

The most common threat isn’t malicious code—it’s “scope bloat.” Developers often request broad permissions because the OAuth ecosystem lacks granular alternatives. For instance, if an app needs to write to a single Google Sheet, it often requests full “edit, create, and delete” access for every document in your Google Drive.

Security Vulnerabilities in OAuth | OAuth Intro and Risks

The numbers are sobering:

Over 1.4 billion installs have broad access to Google Drive.
818 million installs hold the keys to company Gmail accounts.
346 apps on GitHub possess direct access to proprietary source code.

Once a user clicks “Allow,” that app inherits your credentials. If the developer’s infrastructure is compromised or their domain is hijacked, the attacker doesn’t need to break into your network—they simply walk through the front door you left unlocked.

The “Zombie” Developer Problem

Security is a living process, but many marketplace apps are effectively “orphaned.” Researchers found hundreds of apps with dead publisher websites or domains that are currently available for purchase at standard registrars.

Imagine a popular backup tool used by thousands of companies. If the original developer lets the domain expire, an attacker could snap it up for a few dollars. They would then control the identity associated with that app, potentially pushing malicious updates or harvesting data from every organization that still has that app enabled. It is a supply-chain nightmare hidden in plain sight.

Did You Know? AI-powered apps present a unique threat. Because these models can make autonomous decisions about what to send or delete, an over-privileged AI plugin is effectively an automated insider threat that operates 24/7 without human oversight.

Future-Proofing Your Identity Strategy

The days of “set it and forget it” for OAuth grants are over. To protect your organization, you must treat third-party app connections as high-risk assets.

Actionable Steps for Admins:

Inventory Everything: You cannot secure what you cannot see. Use your Google Workspace or GitHub admin consoles to export a full list of authorized OAuth apps.
Assign a Business Owner: Every app must have a human accountable for its use. If no one claims it, revoke it.
Rotate High-Risk Grants: Treat OAuth tokens like passwords. Set a cadence to review and re-authorize access for high-privilege apps.
Monitor for Anomalies: Watch for unusual API calls from apps that shouldn’t be touching sensitive folders or repositories.

Frequently Asked Questions (FAQ)

Does “Verified” on a marketplace mean an app is safe?: No. “Verified” usually means the developer has validated their identity at the time of submission. It does not account for domain expiration, code changes, or evolving security threats after the app is published.
How can I tell if an app has too much access?: Review the “OAuth Scopes” during the installation prompt. If an app for simple file conversion is asking for “Full access to your Gmail,” that is a major red flag.
Should I disable all third-party apps?: Not necessarily. Business efficiency relies on integration. Instead, implement a strict “allow-list” policy where only vetted applications are permitted to connect to your production environment.

Are your employees unknowingly opening your company’s front door? Take a moment today to audit your OAuth permissions. For more deep dives into identity security and supply chain risk, subscribe to our weekly intelligence report or check out our guide on the hidden gaps in automated security tools.