Harvest, a time-tracking software that integrates with Outlook Calendar through OAuth, was found to have a vulnerability that resulted in an OAuth token leak. The issue was discovered when a user granted permission and was redirected to a URL that could be manipulated to steal access tokens. The vulnerability was found in the open redirect link:https://outlook-integration.harvestapp.com/auth/outlook-calendar/callback?state=%7b%22return_to%22:%22/%22%2c%22subdomain%22:%22hackerone295%22%7d. By combining the open redirect with the implicit grant flow, access tokens could be leaked to the redirected URL. The Harvest team was slow to respond and took three years to fix the vulnerability. The disclosure timeline and lack of appropriate rewards led to the public disclosure of the report.
https://eval.blog/research/microsoft-account-token-leaks-in-harvest/