#security #hack #OAuth
Dylan from truffleSecurity talks about a simple hole (it seems a bit loud to call it a vulnerability) that allows users of companies that use #Google authorization in services like Slack or Zoom to continue to have access even after being fired and having their access removed.
The hole is that such services use email as the user ID. But, obviously, you can create several different email addresses that receive the same emails (e.g. by adding words after "+"):
https://trufflesecurity.com/blog/google-oauth-is-broken-sort-of/
Dylan from truffleSecurity talks about a simple hole (it seems a bit loud to call it a vulnerability) that allows users of companies that use #Google authorization in services like Slack or Zoom to continue to have access even after being fired and having their access removed.
The hole is that such services use email as the user ID. But, obviously, you can create several different email addresses that receive the same emails (e.g. by adding words after "+"):
https://trufflesecurity.com/blog/google-oauth-is-broken-sort-of/
Trufflesecurity
Google OAuth is Broken (Sort Of) ◆ Truffle Security Co.
Today I’m publicizing a Google OAuth vulnerability that allows employees at companies to retain indefinite access to applications like Slack and Zoom, after they’re off-boarded and removed from their company’s Google organization. The vulnerability is easy…
👏1👨💻1
#security #hack #2023
Compilation of the biggest cyberattacks of the past year:
https://www.bleepingcomputer.com/news/security/the-biggest-cybersecurity-and-cyberattack-stories-of-2023/
Compilation of the biggest cyberattacks of the past year:
https://www.bleepingcomputer.com/news/security/the-biggest-cybersecurity-and-cyberattack-stories-of-2023/
BleepingComputer
The biggest cybersecurity and cyberattack stories of 2023
2023 was a big year for cybersecurity, with significant cyberattacks, data breaches, new threat groups emerging, and, of course, zero-day vulnerabilities.
👌1
#security #CVE #GitLab
The most critical security issue GitLab patched has the maximum severity score (10 out of 10) and is being tracked as CVE-2023-7028. Successful exploitation does not require any interaction.
https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-zero-click-account-hijacking-vulnerability/
The most critical security issue GitLab patched has the maximum severity score (10 out of 10) and is being tracked as CVE-2023-7028. Successful exploitation does not require any interaction.
https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-zero-click-account-hijacking-vulnerability/
BleepingComputer
GitLab warns of critical zero-click account hijacking vulnerability
GitLab has released security updates for both the Community and Enterprise Edition to address two critical vulnerabilities, one of them allowing account hijacking with no user interaction.
😱2🔥1👀1
✍1👎1👏1🤔1
Forwarded from Информация опасносте
The Microsoft security team detected a nation-state attack on our corporate systems on January 12, 2024, and immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access. Microsoft has identified the threat actor as Midnight Blizzard, the Russian state-sponsored actor also known as Nobelium. As part of our ongoing commitment to responsible transparency as recently affirmed in our Secure Future Initiative (SFI), we are sharing this update.
https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/
https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/
🤯2🔥1
Forwarded from 🇺🇦 automation-remarks.com
The CODS Model:
- Control
- Observability
- Decomposability
- Simplicity
- Control
- Observability
- Decomposability
- Simplicity
👏1🤔1👌1
#password #way
Oh, someone at one time said the right and obvious thing. But as usual, they were not heard (how annoying are these requirements for frequent changes, often also on services that limit the length, like, less than 12 characters, and do not allow special characters 🤬):
https://tidbits.com/2022/03/03/never-change-your-password/
Oh, someone at one time said the right and obvious thing. But as usual, they were not heard (how annoying are these requirements for frequent changes, often also on services that limit the length, like, less than 12 characters, and do not allow special characters 🤬):
https://tidbits.com/2022/03/03/never-change-your-password/
TidBITS
Never Change Your Password
Many websites advise you to change your password routinely. That advice is nearly universally wrong: you should only update a password when there’s a weakness. Why does it persist?
👍2💯2🤔1