The Accidental Discovery of a New Vulnerability in Google's OAuth Implementation

The Accidental Discovery of a New Vulnerability in Google's OAuth Implementation

37.943 Lượt nghe
The Accidental Discovery of a New Vulnerability in Google's OAuth Implementation
Beware, dear friends, the cautionary tale of the cloud provider that broke its own security model. Ignoring RFCs! Putting plaintext passwords in scripts - and printing them in books! It's a crazy story, but one that may nonetheless resonate with enterprise security practitioners everywhere. In early 2021, I identified a client impersonation vulnerability in a series of Google "first-party" applications. This vulnerability allows an attacker to present themselves both to a user and to Google as one of these applications, and enjoy all the privileges therein.... By: Brian Smith-Sweeney Full Abstract and Presentation Materials: https://www.blackhat.com/us-23/briefings/schedule/#first-party-problems-in-a-zero-trust-world-the-accidental-discovery-of-a-new-vulnerability-in-googles-oauth-implementation-32992