x.com/BrendanFalk/status/2045953132770025769?s=20
1 correction found
http://110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com
The published IOC is the OAuth client ID `110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com` — without an `http://` prefix. Adding `http://` turns it into a URL, not the client ID Google and Vercel identify.
Full reasoning
Vercel’s official security bulletin lists the indicator of compromise as:
110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com
There is no http:// prefix in Vercel’s published IOC. Google’s documentation also describes OAuth client IDs as identifiers in the ...apps.googleusercontent.com format, not as URLs. For example, Google says “A client ID looks like the following example: 1234567890-abc123def456.apps.googleusercontent.com.”
That matters here because the Google Admin console’s app-access view shows the app’s full OAuth2 client ID. Prepending http:// changes the value from a client ID into a URL-like string, which is not the identifier Vercel published and may fail to match when filtering by ID.
3 sources
- Vercel April 2026 security incident | Vercel Knowledge Base
Indicators of compromise (IOCs) ... OAuth App: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com
- Streamlined Linking with OAuth and Google Sign-In | Google for Developers
Note: A Client ID looks like the following example: 1234567890-abc123def456.apps.googleusercontent.com
- Control which apps access Google Workspace data | Google Workspace Help
View information about the app - Shows the full OAuth2 client ID of the app, the number of users, the privacy policy, and the support information.