Do you have a dumb question that you're kind of embarrassed to ask in the main thread? Is there something you're just not sure about?
This is your opportunity to ask questions. No question too simple or too silly.
Culture war topics are accepted, and proposals for a better intro post are appreciated.
Jump in the discussion.
No email address required.
Notes -
There are probably some Auth based exploits if it's really targeted. For a system I work with for a number of reasons we have approvals handled as links in an email so when a user clicks the link it opens a page on our site that uses windows Auth to identify them and takes an identifier from the link to decide which deal they're approving. An attack vector could be someone trying to get something approved that shouldn't by sending someone with approval rights a doctored link.
With oauth there are also a whole lot of other posisbel vectors if you can get the target to also click some accept on a Google dialogue after opening the link.
The oauth angle cannot be overstated. Even CTOs can fall for it. PageFair was hacked this way a few years ago.
My employer has a whole bunch of intranet tooling all tied to my corporate gmail account. Every now and then I get randomly signed out so I have to click the right account and proceed, sighing and paying little attention. If you presented me with a doctored link that duplicated the google account login popup, I would probably fall for it.
More options
Context Copy link
More options
Context Copy link