« All posts

$13,337 Bounty: Google Device Code Flow Account Takeover Bug

Google paid a $13,337 bounty for a confused-deputy flaw in its RFC 8628 device authorization flow enabling account takeover.

A security researcher disclosed a critical confused-deputy vulnerability in Google's implementation of RFC 8628, the device authorization grant used for TV and CLI logins via a second-screen flow. The authorization server failed to verify that the client_id and scope in the consent URL matched those originally issued for the device_code, and the session itself was transferable across browsers.

Combined with the prompt=none parameter, this validation gap enabled a one-click, invisible account takeover requiring no victim interaction. The bug undermines the core trust assumption of the device flow — that a code is bound to a specific client and scope — highlighting a systemic risk in OAuth 2.0 device authorization implementations.

Google confirmed and paid out a $13,337 bounty for the report. The finding offers engineers a concrete case study on why device flow implementations must strictly bind client_id and scope to issued device codes and guard against cross-session token portability.