2026-05-29 –, Work Lab II
The rediscovered Browser Swapping attack threatens modern OAuth 2 and OpenID Connect deployments. This talk demonstrates how attackers exploit the vulnerability and how you can protect your systems in the short and long term.
When Pedram Hosseini et al. discovered Browser Swapping in 2022, no browser technologies were available to mitigate the attack. As there was no known practical attack vector, applying fixes to the standard was deferred. After Jonas Primbs demonstrated a practical attack at IETF 124 in November 2025, Luke Jennings discovered real-world attacks using Browser Swapping to hijack Azure CLI sessions. While standardization of browser technologies that can fully mitigate web app attacks has just begun, we can at least reduce the likelihood of successful attacks.
This talk will include a live demonstration of a Browser Swapping attack and provide an overview of the many possible attack variations against web and native applications. It will also suggest short-term mitigation strategies and long-term standardisation requirements. Participants will understand why Browser Swapping is both feasible and difficult to mitigate, and why new browser and operating system standards are required to mitigate it fully.
Jonas Primbs, M.Sc., is an IT security researcher at the University of Tübingen, Germany, since 2020. While completing his PhD, he is working at the penetration testing company SySS GmbH as an IT security consultant since 2023. With his broad expertise in web application security and modern authentication and authorization standards, he aims to ensure end-to-end security across users and services based on open standards.