WeChat ID
aaronpk_tv
Thursday, March 2, 2023
| bicycle |
35 min
|
|
7.5 miles
|
bicycle |
-
-
Charlotte Brandhorst-Satzkorn
https://inuh.net/@catzkorn
•
Mar 2
Ever wanted to use your own choice of OIDC IdP with @tailscale? I'm looking for private alpha testers - new and existing users welcome. DM me!
I would love to check this out actually, I'm working on some documentation to help companies like Tailscale adopt features exactly like this!
I don't have a way to DM you on mastodon but you can email me! https://aaronparecki.com/contact/ -
another day, another account takeover caused by an open redirector and the OAuth Implicit flow 🫠
https://salt.security/blog/traveling-with-oauth-account-takeover-on-booking-com -
Yep! This is exactly the kind of thing PKCE prevents! With PKCE, even if the open redirect were in place, the attacker wouldn't have been able to do anything with the stolen authorization code.
Although now I'm thinking this through and if the open redirects are really open enough, you could probably still pull something off even while using PKCE. -
Brandon Trebitowski
https://brandontreb.com
•
Mar 3
True, but it would be tricky.
Wouldn’t the attacker have find a way to extract the
code_verifierfrom local storage and pass it along with the hijacked redirect?They would have to somehow have the ability to write custom js code on the path they are redirecting to. I guess this is possible on sites that don’t sanitize user inputs.
I was thinking the attacker makes up their *own* `code_verifier` and injects that into the first open redirect
