And that’s why you make sure you have sanitization checks on the backed too. From end should just provide your users with quicker feedback and save on network traffic. The backend should prevent anything from actually being executed that shouldn’t. That way it doesn’t matter how it gets submitted. Same if you were have a UI and API. The API may get inputs outside of a UI so you should have your checks there.
Damn...
I'm a Linux user that basically hates the MS way of life, but I must admit that they are taking AI seriously AND share their tools. So kudos, please continue !
I shamelessly reused the AI assesment template at work and this RIT will be pushed to some colleagues.
If this were an actual flaw, it would completely break all of OAuth everywhere. How likely do you think it is that the entire security industry, and all hackers everywhere, would have overlooked something like this?
I'm confident there will be some sign that it's a forged OAuth prompt rather than Google's prompt, and I'm not entering credentials into an obviously fake prompt.
Well, that's lucky, because I don't want to sign up for OAuth tokens with Google and then immediately start doing something nefarious with them just to prove a point. 🙂
I looked around a little though, and I was able to find an example of this technique being used for real maliciously "in the wild." My envisioning of it was somewhat different (overriding or obfuscating the URL bar in a real window showing malicious HTML, as opposed to constructing an entire fake window), but the principle's pretty much exactly the same.
I also learned that Google's response, after some not-real-similar attacks which also exploited doing nasty things with real OAuth vendor credentials, was to tighten up a lot on their security on who can have OAuth vendor credentials (which sounds like a pretty sensible approach to me.)
Companies will include an image of your choosing when you enter your credentials to know it's really the host, and that can't be faked really. Obviously people don't notice and a fake website is often enough, but there is a mechanism.
We're doing man-in-the-middle under my proposed scenario anyway (we have to, to defeat 2FA and get a real Oauth token.) It's trivial to show the user the Google-provided image of the user's choosing.
This seems like the kind of system that might be quite useful in extremely large organizations but is total overkill for any organisation that doesn't have dozens of departments, locations in different countries,...
In general, the flawed access control systems I have seen in the past have almost always been too convoluted and complicated compared to what a few years of use showed would have been actually needed.
It looks like this whole thing depends on targets not having their IAM policies locked down correctly, which is one of the foundational security aspects any good cloud devops engineer should be familiar with.
netsec
Top