Aaron Parecki

#security

• 

  Yet another reason why Token Exchange is dangerous 🤯😱
  
  "Bing is allowed to issue Office tokens for any logged-on user"
  
  https://twitter.com/hillai/status/1641146523990753290

  神奈川県, JPN

  13 likes 4 replies 1 mention

  Thu, Mar 30, 2023 9:54am +09:00 #security #oauth
• 

  another day, another account takeover caused by an open redirector and the OAuth Implicit flow 🫠
  
  https://salt.security/blog/traveling-with-oauth-account-takeover-on-booking-com

  Portland, Oregon • 40°F

  14 likes 4 reposts 1 reply

  Thu, Mar 2, 2023 10:16am -08:00 #oauth #security
• Let's build a Chrome extension that steals everything (mattfrisbie.substack.com)

  Fri, Feb 24, 2023 9:58am -08:00 #security
• 

  I'm a big fan of using more secure two-factor authentication methods like a security key or TouchID, but I will admit I never expected charging people to use SMS would be a viable strategy to get them off it 😅 https://blog.twitter.com/en_us/topics/product/2023/an-update-on-two-factor-authentication-using-sms-on-twitter

  Portland, Oregon, USA • 43°F

  46 likes 6 reposts 12 replies

  Fri, Feb 17, 2023 9:26pm -08:00 #security #2fa #mfa #twitter
• Hacking into Toyota’s global supplier management network (eaton-works.com)

  Mon, Feb 13, 2023 12:39pm -08:00 #security
• Things You Should Do Now (secure.phabricator.com)

  Thu, Feb 9, 2023 4:17pm -08:00 #security #software
• 

  I've given many talks about how mobile apps can't be deployed with a secret, and using Twitter's 2013 "hacks" as an example. I'm just going to leave this completely unrelated string of random characters here for no particular reason
  
  GgDYlkSvaPxGxC4X8liwpUoqKwwr3lCADbz8A7ADU

  Portland, Oregon, USA • 43°F

  100 likes 52 reposts 10 replies

  Thu, Feb 2, 2023 8:12pm -08:00 #twitter #oauth #security
• Cory Foy https://mstdn.social/@cory_foy

  With all the hubbub around password managers today I’m so grateful for the foresight my mother had when she was younger changing her maiden name to a randomly generated 18 character word that resets itself every 30 days. #InfoSec #Security #LastPass

  Portland, Oregon • 19°F

  Fri, Dec 23, 2022 3:26am +00:00 (liked on Thu, Dec 22, 2022 8:07pm -08:00) #Lastpass #Security #InfoSec
• 

  Remember folks, "token exchange" does *not* mean "let me exchange a customer ID for a token"!
  
  Good thread on how remotely connected Honda, Nissan, Infiniti, and Acura cars were all able to be remotely controlled knowing only the VIN.
  
  https://twitter.com/samwcyo/status/1597792145691246593

  Portland, Oregon, USA • 38°F

  20 likes 10 reposts 3 replies 1 mention

  Thu, Dec 1, 2022 11:36am -08:00 #security
• 1Password passkeys demo shows you the passwordless future (9to5mac.com)

  Thu, Nov 17, 2022 6:31pm -08:00 #passkeys #passwordless #security
• 

  This is your scheduled periodic reminder, for no particular reason, that now is a good time to review the third party OAuth apps that have access to your Twitter account, and remove any that you don't recognize or haven't used in a while.
  
  ➡ https://twitter.com/settings/connected_apps

  Portland, Oregon, USA • 43°F

  47 likes 20 reposts 5 replies

  Tue, Nov 15, 2022 6:36pm -08:00 #oauth #twitter #security
• 

  What could possibly go wrong? https://twitter.com/racheltobac/status/1588367452043235328

  Seattle, Washington, USA • 41°F

  26 likes 13 reposts 1 reply

  Thu, Nov 3, 2022 8:16pm -07:00 #twitter #security
• A Yubico FAQ about passkeys - Yubico (www.yubico.com)

  Wed, Aug 17, 2022 2:30pm -07:00 #yubikey #authentication #security #fido #passkey
• Let websites framebust out of native apps | Holovaty.com (www.holovaty.com)

  Sun, Aug 14, 2022 6:20am -07:00 #apps #security #oauth
• 

  Made a new illustration to use in my slide decks.
  
  I often talk about choosing where on the security vs usability dial you want your systems to be, so I figured it was time to have a visual for that.

  

  Houston, Texas, USA • 100°F

  20 likes 10 replies

  Tue, Jul 19, 2022 4:51pm -05:00 #security #oauth
• Camplayer (www.rpi-camplayer.com)

  Tue, Jun 28, 2022 3:12pm -07:00 #raspi #raspberrypi #camera #security #video
• 

  Do I know anyone who knows the right malware analysis tools to determine whether an app accesses any files on the computer or what remote servers it connects to? I want to know more about what this particularly well targeted malware is trying to do.

  Portland, Oregon • 78°F

  13 likes 4 reposts 10 replies 1 mention

  Thu, Jun 2, 2022 5:45pm -07:00 #security #malware
• 

  After some great presentations and discussions at the OAuth Security Workshop and European Identity and Cloud Conference, I wrote up some of my thoughts on OAuth and native app impersonation #eic2022 #osw #oauth
  
  https://developer.okta.com/blog/2022/06/01/oauth-public-client-identity

  Portland, Oregon • 65°F

  22 likes 13 reposts 1 reply

  Wed, Jun 1, 2022 10:46am -07:00 #oauth #security #eic2022 #osw
• 

  Sad but true thread on the state of corporate security https://twitter.com/crdudeyoutube/status/1529994566115348485

  Portland, Oregon, USA • 54°F

  4 likes 2 reposts 1 reply

  Fri, May 27, 2022 6:05am -07:00 #security
• 

  There's nothing like being at #EIC2022, a conference all about identity and security, where phishing and hacking have been a major theme across all the talks, and then getting a "is this you?" push on my phone from an IP on a sketchy VPN followed by a password reset email

  Berlin, Berlin • 60°F

  24 likes 3 reposts 5 replies

  Thu, May 12, 2022 10:10am +02:00 #security #eic #mfa #eic2022