Dangling DNS records enable OAuth token interception in enterprise SSO flows.
We identified a class of vulnerability where expired subdomain DNS records can be reclaimed to intercept OAuth authorization codes during enterprise SSO flows. We scanned Fortune 500 companies and found 23 exploitable dangling records across 15 organizations. Affected vendors were notified through our coordinated disclosure process.