[0xcrypto]

Hi, author of the blog post here. Yes I understand your concern and I tried keeping Microsoft's name out of the title but couldn't think of anything else. Since the vulnerability only affects the oauth implementation for the connection with Microsoft accounts. Previously the title was "Microsoft OAuth token leak via open redirect in Harvest App" but later I changed it to "Microsoft Account's OAuth tokens leaking via open redirect in Harvest App". I am still considering to change it and open to suggestions.

[nurple]

If only tokens minted by MS were in scope of the vulnerability because of Harvest's outlook integration, maybe something like "Harvest OAuth CSRF Leaks Tokens of Microsoft Outlook Users" or "CSRF in Harvest's Outlook Integration Leaks User Tokens".

If you want to add any editorializing around mitigation, linking to the OAuth RFC[0] that dictates a MUST for binding the users auth state with the request to prevent such attacks would be instructive to readers.

[0] https://datatracker.ietf.org/doc/html/rfc6749#section-10.12

[0xcrypto]

Oh yes, that sounds better. I am changing the title now.

Updated to "Stealing OAuth tokens of connected Microsoft accounts via open redirect in Harvest App"

[dang]

Ok, I've updated the title above to that (shortened a bit to fit HN's 80 char limit). Thanks!

(Submitted title was "Microsoft Account's OAuth tokens leaking via open redirect in Harvest")