@asanso reported a vulnerability where a previously authorized OAuth application could have the scopes associated with its OAuth token removed via CSRF. Before an OAuth application has been authorized, a user is required to confirm the scopes that the OAuth application is requesting. Once authorized, future OAuth flows that contain the same requested scopes are automatically validated and the user is redirected to the OAuth application. If an OAuth application requests additional scopes, the user is required to authorize those as well.
@asanso observed that initiating an OAuth flow requesting fewer scopes did not require the user to authorize the removal of these scopes. As a result, an attacker could CSRF the OAuth flow for an authenticated user and silently remove scopes from the OAuth token associated with a previously authorized application. This could break functionality if the OAuth application relies on the scopes that were removed. We addressed this issue by requiring users to confirm any change in scopes for an authorized OAuth application.