Collaborate Disseminate
Attackers are compromising high-privilege Microsoft accounts and abusing OAuth applications to launch a variety of financially-motivated attacks. Abusing OAuth applications OAuth is an open standard authentication protocol that uses tokens to grant app… Continue reading Attackers abuse OAuth apps to initiate large-scale cryptomining and spam campaigns
I am trying to ascertain if Google Cloud Pub/Sub supports OAuth 2.0 with Mutual TLS (mTLS). Despite conducting an internet search, I couldn’t find any pertinent information regarding mTLS support (it currently only supports OAuth 2.0). Doe… Continue reading Mtls in Google Cloud pub/sub oauth 2.0
I’ve read some blogs and did some labs regarding OAuth’s implicit flow,
but it seems to me everyone just turn a blind eye to a very critical point in the flow.
Assuming that site A uses the implicit flow for authentication,
it will redirec… Continue reading Isn’t there a critical built-in vulnerability in OAuth’s Implicit flow?
We’ve talked a few times here about the issues with the CVSS system. We’ve seen CVE farming, where a moderate issue, or even a non-issue, gets assigned a ridiculously high …read more Continue reading This Week in Security: CVSS 4, OAuth, and ActiveMQ
Considering an attacker may be able to leverage the information gathered from standard endpoints/configuration files such as /.well-known/oauth-authorization-server and /.well-known/openid-configuration, is it considered best practice to n… Continue reading Should standard OAuth endpoints/configuration files be kept private?
By Deeba Ahmed
The critical API security flaws in the social sign-in and OAuth (Open Authentication) implementations affected high-profile companies like…
This is a post from HackRead.com Read the original post: Social Login Flaws in Popular Webs… Continue reading Social Login Flaws in Popular Websites Risked Billions of User Accounts
During a pentest I have found a JWT that seems to be a refresh-token issued by some IAM software.
The scope field in the JWT lists all the applications as URLs that this token can be used to obtain access tokens for.
From an attacker persp… Continue reading URLs in JWT scope
What alternatives for authentication and authorization technologies besides OAuth, SAML, OpenID Connect, and WebAuthn can be used for cloud apps?
I am currently writing my thesis and would like to look into the future and see if there are … Continue reading alternatives for OAuth, SAML, OpenID Connect, and WebAuthn [closed]
I’m going off of this answer, but asking a new question since that’s quite old.
It seems to be becoming more common for banks or other "legitimate" institutions to want your banking username and password in order to verify accoun… Continue reading Why don’t bank verification services use OAuth
Implement a Zero Trust security model with confidence with these best practices and tool suggestions to secure your organization. Continue reading How To Implement Zero Trust: Best Practices and Guidelines