Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Matt Johansen Profile picture
@mattjay
Dec 16 7 tweets 2 min read Twitter logo Read on Twitter
A vulnerability in the way Google implements OAuth was disclosed publicly today and is still not fixed.

It can let employees retain indefinite access to applications like Slack and Zoom after they're offboarded.

Let's dig in:
Here’s a timeline of events:

August 4th- Disclosure to Google

August 7th- The issue was triaged

October 5th- Google paid $1337

November 25th- Bulk private disclosure to dozens of impacted applications

December 16th- Public disclosure 134 days after notifying Google
The crux of the bug:

You can create Google accounts off of corporate Google organization, via email aliases, and email plus sign forwarding.

youremail+anystringhere@anydomain.com will be forwarded to youremail@anydomain.com‘s inbox. Image
Remediation guidance if you're an org using Google Workspace:

Disable login with Google and strictly enforce SAML Image
To read suggestions on how Google can help fix this, or if you're a company that lets your customers login with Google and you'd like to know your options:

Read the full writeup here - trufflesecurity.com/blog/google-oa…
Kudos to @InsecureNature and the @trufflesec team on this one - it's a pretty cool bug!
@InsecureNature @trufflesec You know the drill.

7,300+ folks trust me to send them news like this every Friday for free:

vulnu.mattjay.com

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Matt Johansen

Matt Johansen Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mattjay

Matt Johansen Profile picture
Dec 13
One of the biggest hacks of the year has mainly gone untalked about.

A Chinese hacker group compromised a $57 billion chip manufacturer in 2017.

They weren't discovered for over 2 years. Here's everything we know:
The chip company in question is NXP and they're the 2nd largest semiconductor company in the EU.

Their chips are in all sorts of devices you use including iPhones and Apple Watches, specifically NFC chips that support Apple Pay. Image
The hacking group is known as Chimera and they have had a long history of going after semiconductor companies to steal chip designs and other sensitive intellectual property. Image
Read 11 tweets
Matt Johansen Profile picture
Dec 4
The head of security at Canva shared this on LinkedIn.

I don't see him on Twitter to tag for credit, but I needed to share as it's pure gold. Image
Way to go! Image
Just 250%? Image
Read 11 tweets
Matt Johansen Profile picture
Nov 16
What in the hell?!
A group of cybercriminals has filed an SEC complaint against a company for not disclosing a data breach.

Here's what we know and what this might mean for the future of ransomware:
Alphv/BlackCat claims they breached MeridianLink's systems, stealing customer and operational data.

They're now leveraging an SEC complaint to pressure the company into acknowledging the breach. Image
This appears to be the first-ever instance where a ransomware group has used the SEC complaint filing as a tactic against its victim.

A groundbreaking and alarming development in cyber extortion.
Read 10 tweets
Matt Johansen Profile picture
Nov 9
A plastic surgeon's office got hacked.

Patients info and nude photos before/after surgery was stolen.

A bunch of the women are suing - buckle up lets look at whats going on:
Imagine seeking to improve your life through surgery, only to have your privacy stripped away.

This is the reality for about a dozen women suing the Las Veags clinic for failing to protect their data. Image
“We went to an office that we thought was safe that was going to protect us. We paid a lot of money and look what’s happening.”
Read 11 tweets
Matt Johansen Profile picture
Oct 30
Holy crap -

SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures

sec.gov/news/press-rel…
👀 Image
Oh come on Image
Read 5 tweets
Matt Johansen Profile picture
Oct 24
Okta got hacked. Leading to impact for CloudFlare, 1Password, and BeyondTrust.

Here's everything we know about it:
Okta’s support system was compromised, allowing unauthorized access to sensitive files uploaded by customers.

Notably, Okta did not discover the breach themselves; it was independently detected by BeyondTrust and Cloudflare. Image
BeyondTrust detected an identity-centric attack on October 2, 2023, which led them to believe that Okta’s support system was compromised.

They alerted Okta, but it took until October 19 for Okta to confirm the breach. Image
Read 17 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(