Code Room
On-callHardoc-g606
Subject Security oauth token leakLevel Senior–Staff~40 minCommon in Security interviewsIndustries Software development, Technology

Question

A bug-bounty report comes in: your OAuth callback page, after exchanging the code, briefly renders the access token in a URL query parameter (…/welcome?access_token=…) before a client-side redirect strips it. That page embeds third-party analytics and an ad pixel. Because the token is in the URL, it leaks to those third parties via the Referer header, and it's been recorded in your CDN access logs and the analytics vendor for months. The tokens are bearer tokens valid for 1 hour with a 30-day refresh token. You're the on-call security engineer. Triage and respond.

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.