OAuth Marketplace Apps Keep Access After Publishers Vanish

The Google Workspace and GitHub Marketplaces have become de‑facto app stores for enterprises, offering one‑click OAuth consent that instantly unlocks email, files, code repositories and even organization‑wide settings. Offroad’s OhAuth project catalogued 2,890 public listings, estimating a lower‑bound install base of 4.39 billion instances. That scale alone makes the marketplace a critical attack surface: a single compromised publisher can inherit permissions across millions of tenants, turning a legitimate integration into a supply‑chain conduit for data exfiltration or ransomware.

The audit uncovered three systemic problems. First, 32 % of apps (918 listings) displayed structural exposure signals, with 677 applications requesting permissions that exceed their advertised purpose—collectively affecting 1.82 billion installs. Google’s coarse scope granularity forces many apps to request “edit” rights that also grant delete capabilities, inflating the attack surface. Second, 206 apps are tied to dead publisher domains, and 89 of those domains are now available for purchase, enabling threat actors to hijack email or account‑recovery flows. Finally, 49 AI‑driven apps hold broad write access, exposing an additional 81.6 million users to autonomous, potentially malicious actions.

For security teams, the findings signal a shift from one‑time marketplace vetting to continuous identity risk management. Best practices include assigning business owners to high‑privilege grants, enforcing the principle of least‑privilege scopes, and instituting periodic grant renewal cycles. Automated monitoring of OAuth activity, combined with manual review of publisher domain health, can catch drift before it translates into compromise. While Google and GitHub have introduced pre‑publish checks, the lack of ongoing re‑validation leaves enterprises vulnerable. A proactive, lifecycle‑focused approach is now essential to safeguard the billions of downstream users that rely on marketplace apps.