Ō̴̡̨͍͕̠̹̘͖͓̭̝̰̖͉̬̫͍̝̰̟͖͖̞͇̟̻̫͇̠̯̋̋̂ͅͅA̷̡̧͎̫̬͖̠͍̼̗̠͊̉̏̓̈́̂̀̈́͆͘͜uth @oktadev oauth.wtf oauth.net 🎥 livestreaming youtube.com/aaronpk aaronpk.tv 💛 #indieweb 🐘🦋
Portland, Oregon
Joined April 2008
- Tweets 11,388
- Following 1,223
- Followers 6,415
- Likes 9,609
Yet another reason why Token Exchange is dangerous 🤯😱
"Bing is allowed to issue Office tokens for any logged-on user"
When inspecting Bing requests, I noticed an endpoint being used for Office 365 communications. As it turns out, Bing is allowed to issue Office tokens for any logged-on user. I quickly crafted an XSS payload utilizing this functionality, tested it on myself, and it worked!
2
1
11
I hope it's better now, but a while ago I was asking it OAuth questions and it was hallucinating all sorts of ridiculous things about it.
7
ugh don't know why that first link failed try this nitter.vloup.ch/search?q=filter%…
1
nitter.vloup.ch/search?q=filter:… -filter:verified filter:blue_verified
Also hi from Yokohama 👋
1
3
First #ietf116 session of the day is #OAuth complete with custom SD-JWT t-shirts 😂
@kristinayasuda @dfett42
1
4
4
16
Well that's a sentence I never thought could exist.
"A request for comment from Twitter’s press office was met with an automated reply containing a poo emoji, a new policy announced by Musk this month."
4
🤯
I had to go into advanced settings and turn on "timezone override" before that option was available but that's exactly what I wanted! Thanks!
1
So actually Fantastical is my main calendar on Mac and iOS, and all I can figure out is showing the second timezone on the right side of the view and showing the time zones in an event. But I want to quickly switch the entire calendar back and forth
1
1
I know a few apps have dual timezone support, which works fine for small differences like west coast east coast, but doesn't work well once you're crossing the date line
1
Feature request for all calendar apps:
Let me temporarily switch my calendar into a different timezone so I can better plan events in my home timezone when I am traveling.
This is why I was using a paper planner in 2019.
4
2
18
Ultimately the problem is running apps from the attacker. A ChromeBook (or an iPad) is a great way to not have to worry about that. The malware could also be possible on a Mac, so for either Mac/Windows, just be careful to never open attachments outside the browser.
1
I just woke up to this news and I 100% agree this is the same thing that's been happening to others.
Just because Google has added additional protection measures doesn't mean they have prevented 100% of cases.
There is also almost no other way this scale of attack can happen.
1
5
Tokyo at night
First edit from last night's photo walk around Shinjuku
Shot on LUMIX GH5II
Edited in Lightroom
2
36
Take the win!
But also, does he really edit his own videos still? I would have assumed he had hired that out long ago by now.
1
1
Yeah, I think the idea is to clone articles on popular topics from major new sites, and send them all pingbacks to get the back-links to boost the ranking of the spam site. SEO can DIAF.
1
also fwiw, that kind of spam usually comes in via pingback, so you can just not include the pingback tag to webmention.io and accept only webmentions instead
1
1