Risky Business #777 -- It's SonicWall's turn - Risky Business

Summary6 min read

Risky Business #777: It's SonicWall's Turn
Released on January 29, 2025
Host: Patrick Gray
Guest: Adam Boileau
Sponsor: Push Security

1. Introduction and Corrections ([00:03] - [02:40])

Patrick Gray opens the episode with a correction regarding the availability of the TikTok app in the Apple and Android stores, clarifying misinformation from the previous week. He also shares feedback from a listener about potential cyber escalations between the United States and China, emphasizing the unpreparedness for such events.

2. SonicWall Vulnerability ([02:40] - [04:43])

The hosts delve into a critical security issue involving SonicWall devices. A CVSS 9.8 vulnerability is discovered, allowing unauthorized code execution across various SonicWall versions. Patrick suspects a Chinese APT group is exploiting this flaw, likening the attack to building a network of orbs.

Adam Boileau ([02:50]): "This is yeah, straight up unauthorized code execution which not really what you want in a security appliance..."

Patrick and Adam discuss the improbability of such a high-severity vulnerability in modern systems, citing the resilience against deserialization attacks today.

3. MasterCard DNS Misconfiguration ([04:43] - [08:35])

A significant DNS typo by MasterCard leads to one of their name servers pointing to an unregistered domain in Nigeria. This misconfiguration allows interception of traffic, potentially enabling hijacking of sensitive information.

Patrick Gray ([06:14]): "They got shafted on the bug bounty here too... Mastercard said that this wasn't a risk to their systems, which I don't know what they're smoking, to be honest."

The discussion highlights the critical nature of DNS configurations and the broader implications of such vulnerabilities in large organizations.

4. Data Consolidation and PowerSchool Breach ([08:35] - [13:28])

Patrick shifts focus to the alarming data breach at PowerSchool, a widely used school management software. With 60 million records compromised, the breach underscores the risks of centralized data repositories, especially in sensitive sectors like education and healthcare.

Adam Boileau ([12:26]): "Disciplinary notes... that's going to be in there. And then data leaked..."

The conversation extends to the challenges of securing specialized cloud services and the potential fallout from such extensive data breaches.

5. Deep Seq AI Model and Nvidia Impact ([13:28] - [15:02])

The hosts discuss the release of Deep Seq, an open-source AI model from a Chinese group. Its efficiency and low development costs have caused market disruptions, including a 17% collapse in Nvidia’s share price. The surge in signups led to service abuses, prompting restrictions to Chinese users.

Patrick Gray ([14:43]): "It's amazing academic work. But on the other hand, I don't know that I'm super worried about it."

6. False Flag Threats: Gamma Copy ([15:02] - [17:27])

A report from Dorina Antoniouk suggests the existence of a group falsely flagging their activities as Gammaren, dubbed Gamma Copy. The hosts debate the credibility of these allegations, with Adam leaning towards the notion that it's more about trolling than actual false-flagging.

Adam Boileau ([17:07]): "It feels less false flag and more like, why not just use Russian TDPs... feels like trolling."

7. Undersea Cables and Potential Attacks ([17:27] - [21:20])

Alexander Martin's reports on multiple undersea cable cuts raise concerns about potential state-sponsored attacks. The hosts compare this to the uncertain narratives surrounding the Havana syndrome, stressing the need for organizations to develop contingencies for such disruptions.

Patrick Gray ([20:05]): "Threat intelligence, we are not maritime experts."

They discuss the complexity and high cost of protecting undersea infrastructure, especially for island nations like Australia and New Zealand.

8. Side Channel Attacks on Apple Chips ([21:20] - [31:28])

Academic research from the University of Georgia reveals side channel vulnerabilities in Apple's M and A series CPUs. These flaws allow memory leakage between browser tabs in Safari and Chrome, posing significant privacy risks.

Adam Boileau ([27:04]): "They are able to leak memory from other browser tabs."

While acknowledging the ingenuity of the research, the hosts express skepticism about the immediate practical exploitation of these vulnerabilities in the wild.

9. Femex Crypto Theft ([31:28] - [25:27])

A startling incident involves the theft of $69 million from the crypto platform Femex. Comparing it to previous high-value crypto breaches, Adam notes the increasing trend of significant financial losses in the cryptocurrency space.

Patrick Gray ([24:30]): "It’s just amazing, man. It’s been like, what, two or three years of just one of these."

10. Legal News: Breach Forum Admin Sentence ([25:27] - [27:04])

The sentencing of Breach Forum's admin, Connor Fitzpatrick, received attention. Despite the severity of his actions, he was sentenced to 17 days time served, which the hosts find perplexing and indicative of potential judicial leniency.

Patrick Gray ([25:40]): "It's rare to see judges accept that their colleagues have erred."

11. API Security Research: McDonald's India API Vulnerability ([27:04] - [34:06])

EatonWorks uncovers several vulnerabilities in McDonald's API in India, allowing malicious actors to manipulate orders and access sensitive customer data. The research is praised for its thoroughness and engaging presentation, emphasizing the importance of robust API security.

Adam Boileau ([33:20]): "The bugs are legit too... it's just a fun read."

12. Reverting to C in Programming ([34:06] - [35:16])

In a surprising turn, the White House removes its memo advocating for memory-safe languages, leading to a resurgence of the C programming language. The hosts humorously debate the implications of this shift.

Patrick Gray ([34:22]): "The White House has deleted its memo on using memory safe languages because we don't want any of that Woke Rust stuff in our code."

13. Sponsor Interview: Push Security on Cross IDP Impersonation ([35:16] - [47:37])

In an exclusive interview with Luke Jennings from Push Security, the discussion focuses on cross-Identity Provider (IDP) impersonation attacks. Employees inadvertently register personal Google accounts using their corporate emails, enabling unauthorized access to SaaS applications.

Luke Jennings ([42:12]): "It's like a certain percentage of your users have all registered personal Google accounts with their corporate emails and they're using those to log into other downstream SaaS apps."

Patrick and Adam explore mitigation strategies, including domain claiming on IDPs and configuring SaaS applications to restrict authentication methods. The conversation underscores the complexity and necessity of securing federated authentication systems.

Patrick Gray ([45:10]): "The main thing though, the takeaway from this conversation is that because most of this oauth is Apple, Google, Microsoft, like it doesn't take a whole bunch to seal this off as a viable attack path for, for, for people out there."

14. Closing Remarks ([47:37] - [51:11])

Patrick wraps up the episode by mentioning job opportunities with Trail of Bits and Push Security. He also thanks Luke Jennings for his insights into cross IDP impersonation.

Patrick Gray ([50:28]): "Luke Jennings, thank you so much for joining me to talk about cross IDP impersonation. Very interesting stuff, my friend."

The hosts hint at upcoming segments and collaborations, ensuring listeners stay tuned for future episodes of Risky Business.

Notable Quotes:

Patrick Gray ([06:14]): "They got shafted on the bug bounty here too... Mastercard said that this wasn't a risk to their systems, which I don't know what they're smoking, to be honest."
Adam Boileau ([27:04]): "They are able to leak memory from other browser tabs."
Luke Jennings ([42:12]): "It's like a certain percentage of your users have all registered personal Google accounts with their corporate emails and they're using those to log into other downstream SaaS apps."
Patrick Gray ([34:22]): "The White House has deleted its memo on using memory safe languages because we don't want any of that Woke Rust stuff in our code."

This episode of Risky Business offers a comprehensive dive into current cybersecurity threats, vulnerabilities, and the evolving landscape of data security. From critical device exploits and massive data breaches to innovative security research and authentication challenges, Patrick Gray and Adam Boileau provide invaluable insights for information security professionals.

Loading summary

Transcript128 lines

[00:03]
Patrick Gray
Hi everyone and welcome to another episode of Risky Business. My name is Patrick Gray and for those of you joining us on YouTube, as you can see, sitting next to me is Mr. Adam Boileau who is visiting the, the beautiful northern rivers from New Zealand to record this week's show. We're doing a bit of work, hanging out, you know, having, having some good times and yeah, we've got a great show for you as always. This week's show is brought to you by Push Security. They make a really interesting sort of browser plugin based identity security product and they found some wacky stuff in their customer environments. So we're going to be talking to Mr. Luke Jennings from Push a little bit later about that. And what we're really talking about is cross IDP impersonation where someone takes their corporate email account registers a say Google account with that email address and because these things aren't domain validated these days, they can start logging into SaaS apps as if they're that corporate user. And you know, this is something they've seen people doing non maliciously in the wild. Pretty freaky deaky. We're going to talk about that later. But Adam, let's get into the news. Although first up let's get into some corrections. Last week I said that the TikTok app was still available in the Apple and Android store. It turned out that was wrong. So, so I think it was Akamai and Oracle was still keeping TikTok ticking over, but I didn't actually mean for that pun to land. Yeah, they were keeping it ticking over but they were young from the store and I think I got a bit confused because I was talking to someone in the US and at that stage the, you know, very early on the apps hadn't disappeared just yet. So that's something I wanted to correct. Also got some really interesting feedback from a listener who works in industrial control system security in the United States who pointed out that if things were to escalate in the cyber domain between the United States and China, which is something we spoke about last week, that could get pretty messy pretty quick. The general gist of what this listener said to me is we're not ready for that. Oh yeah, yeah. Just a couple of interesting follow ups from last week. But let's start off, you know, another week, another disaster with an edge device. This time at Sonicwall there is a, what is it, a CVSS 9.8 which is, you know, usually you just ask a box to give you a shell when it's that serious and it Does, Yeah. So a CVSS 9.8 under active exploitation hitting a whole bunch of different versions of Sonic wall devices. And to me this one smells like a Chinese apt crew going and building a network of orbs. Right, like that's just what this one feels like.
[02:40]
Adam Boileau
Yeah, I mean, because why wouldn't you? If you've got codexec in a whole bunch of edge devices, what more could you possib? I think this was a deserialization flaw in the management interface. So like the port 8443 I think it is in Sonicwall's case. So yeah, if you have that on the Internet, this is yeah, straight up unauthorized code execution which not really what you want in a security appliance and we have seen sonic wall bugs abused by ransomware crews in the past, but everybody's gonna be all in all of the Sonic Walls doing whatever they fancy. Be it orb, be it. Yeah, ransomware.
[03:18]
Patrick Gray
Now over at Brandy the other night we actually talked about this one because sadly we still talk about this stuff just when we're hanging out. But you know, you gave me some interesting history on deserialization attacks where really this sort of thing shouldn't work these days. Like to the point where it gets, I mean we don't precisely know the mechanical, like there's no POC for this. Right.
[03:42]
Adam Boileau
I haven't seen one and I don't know what tech stack, the Sonic wall, web, web, admin interfaces, because like Java and NET are the common ones for deserialization, but php, Python all have similar things. We don't know what. I haven't looked at the garbins of a Sonic wall in a while.
[03:56]
Patrick Gray
But the point is even contemporary deserialization attacks, they don't allow you just to fire off something that gets you instashell. Right. So there's something funny going on here. Probably feels like old Java maybe, something like that.
[04:11]
Adam Boileau
Whatever it is, it's likely to be old rubbish because the kind of the gadgets that you use to trigger deserialization and to make it do attacker controlled things, those are usually in common libraries, in the standard library or in common libraries and they get kind of patched out relatively quick once they get used. Now Sonic wars interfaces could well be very, very old and they may be vulnerable to ancient old stuff. But yeah, deserialization can be fiddly. But once you've found a gadget that works for the particular thing you're hitting, then it's CVSS 9.8. Good times.
[04:44]
Patrick Gray
Yeah, yeah. I guess my point was more that like this, you shouldn't have a CVSS 9.8 deserialization bug in 2025, you know, so yeah, the people who maintain the tech stacks that are targeted with deserialization, you know, attacks like they have made it harder. It shouldn't be this easy, I guess is my point. Now we're going to talk about a Creb's piece here, which is. Yeah, I mean, is this huge news? I don't know, but it's comedy. It's definitely suitable as comedy. So MasterCard, when they delegated their domain name servers in their domain registration or whatever, there's like seven name servers there and they're Akamai customers. So you've got like a one29akam.net, so on and so forth. And one of them is a 2265 akam.net. so they typoed it. So one of their five name servers pointed to an unregistered domain in Nigeria, which, you know, and the funny thing is like if you typo like a DNS record with something like this, you're going to notice because people are going to be like, you know, there's typos are going to break stuff. This doesn't, because, you know, DNS is pretty resilient. So. So someone found this, registered the domain and holy moly, did they see a whole bunch of traffic.
[06:06]
Adam Boileau
Basically 300 bucks to hijack MasterCard's DNS, which is. That's some value for money right there. So good job to whoever did that.
[06:15]
Patrick Gray
They got shafted on the bug bounty here too. I mean, they didn't even submit it through bugcrowd, but because they were registered with bugcrowd, bugcrowd started sending them emails saying that they should take it down to be professional or whatever. And they weren't following good disclosure practices. Like this is kind of the ugly side of Corp bug bounties where it's about kind of hushing things up. Yeah, like that's just. Yeah, that's just, that's no bueno. But also mastercard said that this wasn't a risk to their systems, which I don't know what they're smoking, to be honest.
[06:47]
Luke Jennings
Yeah.
[06:47]
Patrick Gray
Because I mean, you know, why don't you walk us through some of the things you can do once you're able to, you know, answer these sort of queries. Because it's a lot.
[06:55]
Adam Boileau
Yeah, I mean, you know, everything is glued out of DNS these days and in particular TLS certificates is the main one. But getting into a position where you can intercept email, you Know, forwards responses to DNS requests. And because they've got a bunch of name servers, you're kind of into slightly probabilistic attacks where some percentage of name server requests might end up going through the path that you control. But for something like MasterCard, that's going to be a lot. And you've got some good options and things like certificate transparency help us to detect when things like misconfigured DNS are used to then carry out certificate registration and so on. But you've just got a whole bunch of great options. And if they're Windows on, on the inside, you've got options for attacking internal domains infrastructure using Internet domain names. So there's just a whole heap of stuff. And I think it's. Yeah, they're kind of playing down the potential here because it suits them.
[07:50]
Patrick Gray
I mean, you could even theoretically do like a web proxy order discovery like wpad.mastercard.com and Robert's your mother's brother.
[07:59]
Adam Boileau
Yes, you've certainly got great options. And in the past, in my pentesting life, we did register domain names that were glued to people's Windows infrastructure and then lead onwards to, in some cases, victory and in some cases accidental denial of service, which is not great. So bad times either way.
[08:16]
Patrick Gray
I remember once having a coffee, this is quite a long time ago, with a mate of ours who, his first week on a new gig, got sent into a bank and he just did a port scan of that floor, but he like took out some D link that they were using, you know, and all of a sudden everyone's running around with their hair on fire. It wasn't a good first day.
[08:36]
Adam Boileau
Yeah, we've all been there and done that.
[08:38]
Patrick Gray
I know I have, but it was a fairly gentle scan and what were they doing using that? But it's, you know, that's, you know, it's still your problem if you're the.
[08:45]
Adam Boileau
One who takes it. Oh, boy, oh boy, is it ever.
[08:49]
Patrick Gray
Now look, we've got a bit of an issue to talk about here, which is the massive consolidation of types of data with specialist cloud providers. And the reason we're talking about it this week is because there's a company in the United States called PowerSchool which, you know, offers like, school management software for schools. And as a result of that, a lot of schools use it and it looks like they've been popped. And this is just turning into an absolutely gargantuan data breach. And I suspect it's one that we're going to hear more of. I mean, there's what, 16,000 K, 12 schools worldwide, unsure if it's used here. But this got me thinking about a recent conversation I had with a friend whose partner is a therapist. And they use like a, you know, clinical management software that now the therapists leave their laptop open and the sessions are transcribed by AI. This is obviously very useful, right? So my friend asked me, like, you know, he said when my partner started talking to me about this, I just started feeling really uneasy and I wanted to get your feeling on it as to whether or not I was being reasonable or whether or not I'm just being paranoid and silly. And I'm like, I thought about it and I'm like, look, the AI part of this isn't the problem. The problem is a centralized repository of patient notes where, as he told me, you know, sometimes people are talking about things like, you know, childhood sex abuse and things like these and the idea that that's all being all going onto some disk somewhere. And then. So I actually looked at the provider, I won't name them, but I went and looked at their website and their security statements are things like, we use military grade encryption and just the sort of stuff that, like red flag, red flag, red flag. So, and then when I saw this PowerSchool thing, I just thought, this is going to be a problem, right, where you've got all of these, you know, industries, disciplines, whatever. You've got all these specialist cloud services and it's just such an. They're such attractive targets. I just think we're going to see more and more.
[10:49]
Adam Boileau
Yeah, I think you're absolutely right. Because these cloud services usually are disrupting some incumbent or some on premise thing. And so being nimble and fast and cheap and attractive, easy to use, those are the priorities for them. Not robust security or robust encryption or military grade encryption. Perhaps they've got time for that. This reminded me that we were talking the other night about Vesta Amo, the Finnish psychotherapy chain where they had bootstrap startup, minimum viable producted management system for therapy clinics in Finland. And they ended up getting all of their patient notes stored because they put it in a MySQL database with no creds on the Internet.
[11:29]
Patrick Gray
Yeah, but now where the AI becomes relevant is it's just going to exponentially increase how comprehensive patient notes are. There's going to be transcripts and everything. And because it's an integrated system where you're managing your patient records, billing, all of that, there's no real way that you can use pseudonyms for your patients. Or anything like that. And you just sort of get the impression like, you know, I don't think they've thought of that.
[11:54]
Adam Boileau
No, no, I doubt, because everyone's so busy innovating and not really thinking about the long term risks of holding data full stop, let alone really sensitive data. And something like school systems where your, you know, your user constituency is, you know, sensitive, I guess, or is, you know, vulnerable. Exactly.
[12:13]
Patrick Gray
And there's something like 60 million people in this data set. You know, the first, middle, last name, date of birth, gender, health card numbers, grade school and grade level and school information, all sorts of stuff. Medical information, like allergies, conditions. Yeah.
[12:27]
Adam Boileau
Disciplinary notes, you know, like the headmaster gives you a telling off for doing something bad and that's gonna be in there. And then data leaked and next minute, you know, some insurance company, we're denying you coverage because, you know, in the sixth grade you were a bad kid.
[12:41]
Patrick Gray
Yeah. Ain't it great? Ain't it great? So look, I just think, you know, whether you're a dentist, whether or not you're a psychologist, like it, like everybody's using specialist stuff. We're actually developing some tools at the moment. Well, talking about it, developing some tools that are going to be actually quite useful for newsrooms and then, hey, that's maybe something that we'll license to other newsrooms to use as like an information management tool. And look, in that case, we're dealing with public information, so it's not, it's not really that sensitive if something happens to it, ironically enough, less likely to happen to something built by you because you're a security person. But I guess the point is, you know, everything's specialized these days. Like we're moving away from spreadsheets, running the world. I think we've still got 20 years of that, but eventually everything's going to be specialized and you just, you know.
[13:29]
Adam Boileau
I mean, it used to be Ms. Access rules the world. So I'm kind of glad that that era is suddenly starting to wane.
[13:36]
Patrick Gray
I'm sure that some of these psych practices who keep their own notes and use their own tech are more vulnerable than these cloud providers. But the thing is, one of them gets done, okay? It impacts a small number of people. One of these big places where all of this data pulls together. It's, it's no bueno. Okay, so let's talk about Deep Seq. We're going to preface this by saying we're not AI experts. We are two dudes on a podcast who are saying we're not AI. Experts, which is incredibly rare. But it looks like, you know, a Chinese group has released an open source model called Deep Seq that has AI people all freaking out because they're claiming that it cost them very little to develop and it's very computationally efficient and whatever. And this has led to, you know, people bailing out of Nvidia and like its share price collapsing 17% and stuff. I have no idea if this is justified or not. What is interesting though is that they had to restrict signups to people in China now because they say that they've been experiencing all sorts of like DOS and API abuse. And I can't say I'm surprised by that because if you're the big shiny new thing, you're going to get attacked.
[14:44]
Adam Boileau
Yeah. And I mean, even just the sheer amount of people signing up probably looks like it's in the aisle of service and the amount of use and all those sorts of things. You know, once a large enough user base is playing with your things, you know, you start discovering all sorts of weird edge cases. But yeah, they were what, they took over ChatGPT as the most downloaded.
[15:03]
Patrick Gray
Yeah, but that's not a good metric. Everybody's already downloaded ChatGPT. You know what I mean? So like there's the long tail of people who haven't downloaded it yet and they get over to, I don't know. Yeah, there's so much hype around this stuff and it's, you know, and the idea that, you know, I think Nvidia lost something like $600 billion in value and it's like I've got, I got no idea if that's justified or not. I don't really understand how this is a breakthrough or, you know, whether or not it's a big deal. But people are treating it as a big deal and, you know, I guess that's all you can do. Okay, so now we're going to talk about this story from Dorina Antoniouk over at the Record. And apparently this is a story that kind of makes the allegation that there's a crew out there false flagging and pretending to be Gammaren and they've been given the name Gamma Copy. So the idea is like they're using enough ttps from gammareton that people are saying, oh, they're false flagging. We had a disagreement about this because you think this is pretty thin. But I don't know, I feel like it's specific enough that I can understand why at first pass, like if you're a threat intel person, you're going to cluster this together. So I can understand why they would have clustered it together but then had to disambiguate later. So it's stuff like using self opening 7 zip files and I think there's similarity in the payloads and there's just a few little things here where you're.
[16:31]
Adam Boileau
Like, yeah, there was some obfuscation techniques that were quite similar. One of the other data points was that they were using ultravnc as a kind of like thing that they would drop. You know, 7zip and UltravNC are not exactly unique things. But the victimology, I guess was also interesting because gamma radon is generally attributed to the Russian fsb. And in this case, this group was going after Russian organizations, so Russian targets with Russian lures and that kind of thing. And to me, it felt less false flag and more like, why not just use Russian TDPs for the LULs?
[17:07]
Patrick Gray
Yeah, why not do what they're doing? That works.
[17:09]
Adam Boileau
Yeah. Like, it's A, it's easy. B, you're not burning any specialist knowledge and C, it's just kind of like if you, especially if this is a Ukrainian group doing it, thumbing your nose at the Russian by using exactly their TDPs right back at them like that just feels like trolling more than it does, you know. False flag.
[17:27]
Patrick Gray
Yeah. So what's funny is this threat intel, people listening to this and they're either nodding along, you know, or they're raging. And we don't know, like AI, we are not threat intel specialists at all. So we are happy if you are happy and we are sad if you are not. I think that's about all we can say. Now let's jump into the issue of all of these cable cuts that have been happening everywhere. So Alexander Martin again at the Record has written up this story where there's reports that intelligence officials are starting to say, look, all of these Internet cable cuts in like the Baltic and whatever it. They're probably accidents. But other people don't know. For me, the discussion around this has really reminded me of like the Havana syndrome stuff where people thought, you know, maybe their CIA folks were being irradiated by Russians and using microwaves or whatever. And there's people who don't believe in it and people who do. I think this is a similar sort of thing where we don't really know if there is a concerted campaign by, you know, Russia working in concert with China to cut undersea cables. But nonetheless, and this is why we haven't talked about it up until now, because there's just not enough information. Nonetheless, I think it's time people maybe started thinking, certain classes of companies need to start thinking about what their contingencies are when they start losing major cables. Now, the people who operate these cables, obviously, they will have thought of this already, but I'm thinking maybe some people downstream might actually have to think about, like, well, what's the impact of a series of cable cuts to this provider or that provider and what do we do? And, you know, it's probably something to work into your doctor scenarios.
[19:04]
Adam Boileau
Sadly, yeah. And it's quite difficult to plan around because, I mean, you kind of need some deep understanding of what your upstream providers have in terms of their international transit subsea cables, how they work. And, I mean, some cable operators will sell you geographically redundant services, so often they'll have cables that are of figure eight loops or that kind of thing where they'll sell you capacity on both sides of the loop. But that doesn't help you when there's a Russian ship dragging an anchor for 100 kilometers.
[19:31]
Patrick Gray
Yeah. Cutting both of them.
[19:32]
Adam Boileau
Cutting both of them. So it is very hard. And also it's quite expensive provisioning, diverse access, especially subsea. It's bad enough across town, so it's hard. And the, you know, some of the reporting we've seen, you know, that does say, hey, maybe this is accidental. You know, some of it sounds kind of compelling, but then, you know, the idea that you could drag your anchor for 100km and not notice, like, I am no mariner, but like AI, like.
[20:02]
Patrick Gray
Threat intelligence, we are not maritime experts.
[20:05]
Adam Boileau
You know, we just read the computer shipping news, not the actual shipping news.
[20:09]
Patrick Gray
Yeah, yeah. So look, and another thing, there's a great story here again from Alexander Martin, where he's, you know, there was this really funny disclosure from the British Defence Secretary, John Healy, who said that he'd authorised British submarines to surface near suspect Russian vessels just to let them know they were being watched. And I just got an image of that in my head of like, blah, blah, blah, blah, blah. Hey, boys, what you doing? So I think. Does that work? I don't know, but it's funny.
[20:43]
Adam Boileau
It is funny, yes. And it must be, you know, that would be a fun day at the office, you know, having to poke the head of your submarine out the door.
[20:50]
Patrick Gray
To shout at some Russians.
[20:51]
Adam Boileau
To shout at some Russians, Yeah. Better than slinking around all day.
[20:55]
Patrick Gray
I mean, you do wonder, though, like, if things were really to kick off in some major conflict. Like, this is a point of vulnerability, especially for countries like Ours like Australia and New Zealand, where we are islands, you know, and if someone were to cut our cables, that would be extremely not good.
[21:10]
Adam Boileau
Yeah. And I mean, how many cable fixing ships are there?
[21:13]
Patrick Gray
Right.
[21:13]
Adam Boileau
That's pretty specialized equipment. It takes ages to get it in position.
[21:17]
Patrick Gray
And it's not like you can task your entire navy to patrol your cables.
[21:20]
Adam Boileau
No, exactly. Right. Yeah. These are difficult problems. And, you know, if and when it kicks off, boy, oh boy, we're going to be in some trouble.
[21:28]
Patrick Gray
Yeah. Now, we've got a really interesting story here from Dan Gooden, which has the FUD headline, but the nuanced reporting.
[21:34]
Adam Boileau
Yes.
[21:34]
Patrick Gray
Which is an odd combo, but it's a story about some people who've been reverse engineering some of the protocols that are used in power delivery, particularly in Central Europe. Right. So it turns out, like a lot of the grid is just controlled via this unencrypted, unauthorized wireless protocol. And they've been managed. They've managed to actually reverse engine and get it working, like being able to deliver payloads with a flip of zero. Right. So that's not good, you know, so that's really not good. And, you know, the idea is the story sort of argues that if they could do enough simultaneously messing around with this protocol, they might be able to trip some sort of big event like the withdrawal of supply or the addition of supply, but either way, something that would make the grid unhappy enough to just sort of disappear for a while. Dan's reporting here, though, does speak to a few experts where they're saying it's not likely. Oddly enough, though, I really didn't find that all that reassuring. Right. Which is what I liked about this piece is that you're like, okay, probably not the end of the world, but they didn't really convince me it's not a risk worth worrying about. Was that your vibe here as well?
[22:42]
Adam Boileau
Yes, absolutely. Right. I've done plenty of work in environments where hacker mindset is relatively new, and all of the old greybeards that are involved in those systems are pretty dubious about some of the claims that hackers come up with. And often we are getting it wrong because we're new to the area, we don't have the engineering expertise. But, you know, this is one of these proof of Concept or GTFO kind of situations, which is a little difficult when you're talking about the entire European grid. But the work that they have done is pretty interesting. It's pretty like the researchers have done pretty comprehensive, you know, not just like naive extrapolation, like. So in some Cases like they made a flipper zero transmit some of these ripple control signals, which are relatively low frequency. And they can do that by kind of abusing the RFID mechanisms in the flipper. So it's very, very short range. And then they've done the. Okay, how do we build this at continent scale? Like, how long an antenna do we need? Can we string it up from a balloon and make it half a kilometer tall and then transmit? And so they have talked to a bunch of people and done some of that work to think about scaling it up so it's more compelling than some of the FUD headlines we've seen. But I think Dan did a pretty good job of at least getting the perspectives from everybody involved, even if we didn't really come to a, you know, a comprehensive conclusion about whether or not you can just turn off the, you know, entire European grid.
[24:07]
Patrick Gray
Yes. Which wouldn't be great. Like, it just wouldn't.
[24:11]
Adam Boileau
Not ideal. No.
[24:12]
Patrick Gray
Now, in some terribly surprising news, Adam, we never see this happen. John Greig has reported over at the Brecord that 69 million bucks has been stolen from a crypto platform called Femex. I mean, it's just amazing, man. It's been like, what, two or three years of just one of these. Two of these. Three of these every week. Yes.
[24:30]
Adam Boileau
And big money amounts to them. And sometimes we'll get things that are in the news, the risky bulletin news list, and it's like 10, $15 million. I'm like, meh, let's cut it. Catalyn says, look, if you had $15 million, you'd be pretty happy about it. So sometimes we do put them in, but, yeah, $69 million. Nice. Is a fair amount.
[24:51]
Patrick Gray
Yeah. But last year there was 308 million stolen from DMM Bitcoin and 235 million stolen from Wazirx. Wazirx.
[24:59]
Adam Boileau
Wazirx. And this one did look like North Korean. Some people are saying the way the currency moved after it got nicked looked like normal North Koreanness. And they are kind of the world experts at stealing bulk cryptocurrency.
[25:15]
Patrick Gray
The question is, are they going to convert it to Trump or Melania?
[25:21]
Adam Boileau
Well, thanks to the blockchain, I guess we can find out.
[25:24]
Patrick Gray
Yeah, that's right.
[25:25]
Adam Boileau
Which the North Koreans prefer to hodl in.
[25:28]
Patrick Gray
Now, a while ago, we spoke about the Breach Forum's admin pompompurin, Connor Fitzpatrick, how he'd been sentenced to. Like, he got a slap on the wrist. And we were just like, wow, that's really weird.
[25:39]
Adam Boileau
17 days time served.
[25:41]
Patrick Gray
Yeah. And it's funny because, I mean he got like, you know, 20 years of supervised release or whatever. But you know, it was interesting because we're normally sitting here talking about how the US justice system has gone too far, but in this case we were like, wait, what? It looks like his, that sentence is being appealed by the DOJ and he's probably going to get re sentenced down.
[26:02]
Adam Boileau
Yeah, they've handed it down to a lower court to go back and do the sentencing again because it did seem, you know, the judges decided that it was unfair and that he should have gotten more. But yeah, you definitely got some feeling of frustration from the prosecution about what he got, you know, given some of the stuff he was into and you know, breached forms was huge.
[26:21]
Patrick Gray
It's kind of rare to see this though, you know what I mean? Like, it is rare to see judges accept that their colleagues have erred. Yes, right. And go, okay, we're going to reset. Like it's kind of a big deal. So yeah, I think he's, he's not going to have a, he's not going to have a great time. All right, so let's talk about some academic research now into Apple chips, right? And you know, Apple's ability to just come out of nowhere and in a few years just switch from intel to all of the M series chips is just incredible. But you know, there's always going to be side channels in these things and that's what this research looks at. This stuff is all Greek to me pretty much. But what's the go here?
[27:04]
Adam Boileau
So this is a group of researchers, I think mostly University of Georgia that have done a bunch of prior work in Meltdown Inspector and so on. So they kind of understand side channel attacks and they've come up with two sets of side channels against Apple. M series CPUs and A series CPUs that allow them to predict, to have side channels in the way that instructions are predicted and in some cases data loading. So like Apple's chips will make up data speculatively whilst the memory is offloading it and then operate on that speculatively made up data, which in itself is just wild. I guess that's why these things are so fast. But from a practical point of view, what they demonstrated was doing this in web browsers Safari and Chrome. And in the case of the Chrome and Safari attack, they are able to leak memory from other browser tabs. In the Chrome case, there's a feature called site isolation where unrelated sites don't get put into the same address space. So there's a separate process between your Gmail and your banking, for example, but in some cases it will share address space if they are subdomains of each other. So like something.google.com might end up in the same address space as calendar.google.com or whatever. Anyway, so they've demonstrated some data leaking between across that boundary. And honestly, that's pretty cool research using webassembly and some of the kind of tricks to make the browser do what it needs to do to trigger these attacks. So it's amazing academic work. But on the other hand, I don't know that I'm super worried about it.
[28:48]
Patrick Gray
But like with all of this stuff and more and more of these sort of fiddly attacks, you know, it's been 11 and a half years since Edward Snowden walked out of NSA with all of this good stuff. Right. And I wonder if we'll see another Snowden one day and then we're going to find out, oh my God, people have been using this. You know what I mean? Maybe, maybe you just never know. But yeah, you read this and you think, well, if you're just trying to get on target, like this ain't how you do it.
[29:15]
Adam Boileau
It seems pretty unlucky. And I would be really interested to hear from pen testers who've actually used speculative execution bugs other than local privesques. Maybe that's one case where we have seen them being used. But in terms of practical things you can do in the wild, it's, you know, it's not the bug you're going to be reaching for. In this case it is.
[29:35]
Patrick Gray
Did anyone wind up using Rowhammer for example? Right. I mean, because I know there were viable exploits out there, but you never hear of them being used in the wild.
[29:43]
Adam Boileau
Yeah.
[29:43]
Patrick Gray
And I wonder if that's a next Snowden thing where we find out or if it's just that it's so easy to detect by like EDR or whatever that it just no one wants or.
[29:51]
Adam Boileau
You'Ve got other, other options, you know. Yeah, I don't recall having used, you know, in my pen testing career having used any like maybe Rowhammer, we did like some of the. What was the heartbleed was one of the ones that leaked memory in the. It wasn't really a side channel. That was a, like.
[30:06]
Patrick Gray
Yeah, it was a memory disclosure.
[30:07]
Adam Boileau
Memory disclosure through like reuse of a buffer off the end of a buffer or something like that. So yeah, I don't know of anyone using them practically. But you know, maybe Maybe that's just my bias. Maybe I like you know, trad UNIX shells and you know, not super obscure.
[30:22]
Patrick Gray
He's a meat and potatoes hacker. Exactly, yes. All right. And yeah look, starting with Apple and there's a bug in their core media stuff which is used by all of their operating systems and whatever it's being talked about in this story. This is a TechCrunch one by Lorenzo. It looks like it affected Software older than iOS 17.2 which is a little bit old. But we don't know when this bug started being used or whatever. So we don't know if it was oday when it was in the wild. Um, but yeah, Apple's fixing it now. I mean we have seen a lot of bugs in core media, right. Like that's. And that's where you're going to find them. There's a lot of parsers, there's a lot of. Absolutely, you know what I mean?
[31:05]
Adam Boileau
It's parsers and attack service. You know, the two by their powers combined is where you get, we get the good bugs. And yeah, I mean it's, you know, local privesques in Apple stuff are particularly useful for people who are writing exploit chains and using them in the wild because that's a thing you know, you normally have to do after you land. So you know, every one of these that Apple kills probably kills someone's very expensive tool chain.
[31:29]
Patrick Gray
Well, I mean in this case it looks like it was dead already, but as you point out, local privilege escalation bugs for any iOS chain, they're really valuable. It's not like most OSS where that's eh. Yeah, I mean they've crept up in value for things like Windows as well over the years. But like an iOS, you know, essentially if you want to break the sandbox.
[31:50]
Adam Boileau
Like you know, because you need them all the time in iOS whereas on every other operating system, you know, often you don't need a local privesc. Often you're kind of there already, you know, you've kind of already on target, you've got what you need. So they're less, kind of less valuable there.
[32:06]
Patrick Gray
Yeah. All right, so we're going to talk about some research here and this is like bug bounty style research which is like. I think it's just the write up that's so good rather than the research because the research is essentially fairly workaday API security research. But someone has written it up. Who's this? EatonWorks, right, have written this up and the website's fantastic. It's very funny. So they took a look at McDonald's API in India, and they discovered that it had several vulnerabilities which would allow them to do things like order food for one century and yeah, do all sorts of stuff. They could steal, hijack, redirect other people's delivery orders and retrieve the details of any order or whatever. And they've put up a webpage here, and it's covered in like little McDonald's fries emojis and burger emojis, and the mouse cursor turns into like a little, you know, little packet of fries.
[33:00]
Adam Boileau
Geocities style.
[33:01]
Patrick Gray
Yeah, a little bit geocities, but, you know, I don't know, it's kind of cool. But like, the walkthrough of the research here is just like, I think anyone who's responsible for an API should just take a little thumb through this because this is how someone sitting down is going to have a go at you.
[33:20]
Adam Boileau
Yeah. In the end, one of the things that bug bounty kids are really good at is writing up their research because you have to be. Otherwise you don't get paid. And you can follow the train of thought. It's all explained pretty clearly. It all makes sense. It's also kind of fun. You know, I miss the fact that security research has gotten so serious. And so it's nice to see someone kind of horsing about having a bit of fun with it. And the bugs are legit too, right? I mean, there's some unauthorized API parts, there's some bits where the guy uses mass assignments on the shopping cart midway through the payment process to change the values to whatever the minimum the card processor will do. It's solid hacking and yeah, it's just a fun read.
[34:05]
Patrick Gray
Yeah, it is.
[34:06]
Adam Boileau
You know, good job, guy.
[34:07]
Patrick Gray
And eatonworks is apparently a guy, not a company, so there you go. I just was, was looking into that while you were speaking and, you know, kind of a quick one this week, isn't it? Because we're about to wrap up. But C is back as a computer language. The White House has deleted its memo on using memory safe languages because we don't want any of that Woke Rust stuff in our code. Adam, it's back to C. You know, Trump comes back in. You're allowed to use C again.
[34:41]
Adam Boileau
Yeah, Golang's for communists and hippies.
[34:44]
Patrick Gray
That's right. Who are trying to destroy America.
[34:46]
Adam Boileau
Exactly. Yes. Honest to God, just like Brian Kernighan intended it. We should all be writing C for everywhere. But there's a whole bunch of web properties that have been changing during the transition in the government and, you know, we've seen executive orders go missing, we've seen, you know, all sorts of other, you know, kind of guidance about stuff go away, but it's just, you know, what a mess. But hey, I mean, if C comes back, I'm not mad about that.
[35:09]
Patrick Gray
You should be mad about that. Oh, man.
[35:14]
Adam Boileau
God's own macro assembler. That's a beautiful thing.
[35:16]
Patrick Gray
All right, well, that's actually it for the news, Adam, but you and I are going to do something we don't normally do and actually have a bit of a chat about this week's sponsor interview, because it is very interesting. I mentioned it briefly at the intro, but basically, Push Security, they make a identity security platform and a big part of it is a browser plugin. They can collect things like login information that people have done through web browsers and stuff, give you incredible visibility into the SaaS apps you're using. They can do all sorts of stuff. They can prevent people from recycling their SSO password into other sites and just really handy stuff. You can just Google Push Security. You'll find them. But they found some unexpected stuff. That's a big part of what's in this interview is they noticed, some of their customers noticed that they were getting all of these Google logins, logins to Google accounts using corporate email addresses. They're like, huh, we're not a Google shop, so what's going on there? And it turned out what some of their staff were doing was actually registering Google accounts with their corporate email addresses. And you can have a Google account that's not an email account, so there's no domain validation. They'll just email that user. They'll email the address of the person who's trying to spin up the account with a code and then, bang, you've registered the account. And then the reason they were doing that is so that they could then log into SaaS apps that they were using as part of their jobs by clicking Login with Google. Now, this got the people at Push thinking, well, if you could just fish that code, you can start logging into all manner of SaaS apps and you haven't had to do any fancy token theft or install a malicious extension or, you know what I mean? Like, this is just a really easy way to do that. And I remember, yeah, like signing up for an account with Dropbox and then with a username and password and then just oauthing to it with no password from a different browser profile with that email address and it just let me in. So all of this stuff's a bit of a mess.
[37:12]
Adam Boileau
Yeah. Like it's quite a complicated problem. And some of this is because of the way that authentication has changed over time from local authentication through to federated authentication and identity providers and so on. So authentication mechanisms in most systems are pluggable. So you can authenticate from a local account, you can authenticate with an idp, you can authenticate from LDAP or from SAML or whatever else. And the systems that use those kind of authentication plugins don't really care which one. And using that in the real world where you've got malicious use cases like this does require a bit of whole system thinking that you lose when you've got that sort of pluggable mechanism. And the options you've got for dealing with that kind of blended authentication is defensively registering stuff with other identity providers.
[38:09]
Patrick Gray
Which can be done. And there's only a handful of them that are used commonly. So you've got Apple, Apple, Google and Microsoft are going to be your common ones. But I mean, I made a mistake on this when we were talking because I'm like, that's part of the spec, isn't it? It's agnostic. If that's your identifier, if it's your username, domain.com if that's your identifier, it's in the spec that it respects it, whether it's username or password, but it's not in the spec. And they can. A lot of SaaS providers can choose to pin people to an authentication method or an idp, but they don't do that because, say we were to switch to using M365, that'd break all of our SaaS access and that would cause them help desk problems. So this is a real issue.
[38:55]
Adam Boileau
Yeah, I mean what the spec says is that identity providers provide an attribute that says whether or not they have validated control of the email address. So that's one kind of data point that you can use and then they provide the email address related to it. They also say that you shouldn't use that email address as the kind of private, as the key, as the identifier for that user, that there is a separate unique value that's guaranteed to be unique that you should use for that. And those kinds of details are not something that as an outsider you can really see. Right. If you're trying to assess do the systems that use third party identity providers that I rely on, do they care about the email validated attributes, do they validate that? Do they do things per the recommendations because there's the letter of the spec and then there's the kind of intent of the spec and then the as built reality of it and then there's the way that everything kind of interacts and a glue between identity providers and relying parties and all gets kind of messy and complicated. As an end user they want it to be simple like the flow should be click button, receive, authenticate, session. You know, there shouldn't be much to fiddle around with but you know, if you're the security person and you kind of have to care about this stuff, it's really, really complicated. So.
[40:14]
Patrick Gray
Well, and it's opaque as well and it's, you know, that's, that's why I found, you know, really interesting thing about this story is the way it turned up was people using Push to do something else and then just looking at the logs and going that's weird.
[40:26]
Adam Boileau
And you can totally understand why end users would do it because it is, it's often straightforward. You have to manage know the password. In some cases using you know, federated auth. Like that is more robust and easier. But however. But however.
[40:41]
Patrick Gray
Right.
[40:41]
Adam Boileau
And then we're, you know, into the world also where you know how, how individual services handle multiple IDPs and whether they pin it like you're kind of supposed to. But there's no spec that says you should. That's just kind of accepted wisdom. Best practice. The sort of thing a pen tester.
[40:56]
Patrick Gray
Will probably write in a report but nobody does.
[40:58]
Adam Boileau
No one reads pen test reports either.
[41:00]
Patrick Gray
So. Yeah, yeah, they just tick the compliance box.
[41:03]
Adam Boileau
Yes, exactly. Got SSO green tech next.
[41:05]
Patrick Gray
All right, so we are going to wrap up the news there. But I should mention too, we've got a couple of job postings to talk about. We've got lots of resumes that we're going through at the moment for our job and we're doing some interviews around that. But there are two more jobs up for grabs. One is with Trail of Bits and one is with Push Security who's this week's sponsor. And I'll drop links to both of them in this week's show. Notes. Both United States based positions. But here is that interview with Luke Jennings from Push Security talking about this whole issue of cross IDP impersonation. Enjoy.
[41:36]
Luke Jennings
We see people do this with their own accounts for real. Like we've got customers where, you know, one of the reasons it came out is that they, they were looking for logins across their estate and they saw all these logins to Google but with corporate email addresses. And they were confused, saying, well, hang on, we're in Microsoft house, this must be a bug. And then we looked into it. It's like, no, no, like a certain percentage of your users have all registered personal Google accounts with their corporate emails and they're using those to o with Google into other downstream SaaS apps. So it happens even for legitimate use, like people going in, oh my God.
[42:12]
Patrick Gray
So that's a really funny way that you've discovered that, which is that it was a non malicious use, which is their own corporate users legitimately logging into corporate SaaS apps with the wrong IDP.
[42:24]
Luke Jennings
Yep. Probably because it's easier. They get a button that says login with Google and then they go and register that with their corporate email once. And they just do that from then on. It's easy.
[42:33]
Patrick Gray
Wow, that's amazing. So walk us through like the phishing workflow to spin up those accounts. Right, because you're going to need to do a little bit of fancy footwork, I'd imagine.
[42:44]
Luke Jennings
Yeah. So I mean, when I was looking into this, I was thinking, how can attacker take advantage of this? And it made me realize, you know, a lot of people have got very strong SSO authentication methods now. Maybe they're even using passkeys or something to stop phishing entirely. So how do you get an account on a different idp? Well, actually, as an attacker, you can go and register, say that Google account yourself. You set the passwords, you do everything, and then it will email the attacker on their email address and go to their Outlook, for example. Now you need to get that verification code, but you need to get that once. And you think about it, that's way easier to phish than doing an attacker in the middle phishing attack against their actual SO account. Or if they've got passkeys, it wouldn't even be possible anyway. So you just got to convince them to give you that code through some social engineering pretext once for an account they know they don't even use. So why would they be too worried about it? You could create some context around that. I'm not giving away a password, I'm not giving away an account I use. It's unused. You just got to get that code once and then you can register that account, you control the password, and then you can start logging into things as Google instead. And it like it won't even go into the SSO logs for the real organization because you go straight to the downstream app. So they won't even see suspicious logins through the idp like you bypass that as well.
[44:02]
Patrick Gray
Yeah, I mean, I think that's the interesting thing here is that without, you know, because of course you make a plugin, right, that captures this sort of telemetry. Without that, like no one would have realized this was even, this was even happening.
[44:13]
Luke Jennings
Yeah, it's true. I mean, to be honest, it surprised us ourselves just seeing how legit users or how many of them were doing this as well. And thinking through the full applications, you realize it creates quite a lot of potential problems in a large organization where you've got just more forms of ghost logins appearing and you've got ways of circumventing SSO with verification phishing as well.
[44:37]
Patrick Gray
Okay, so all of this begs the question, what do you do to prevent this happening to your Org? You sent over some notes obviously, before we started having this conversation. And one thing you could do is register tenants with Microsoft. But can you do that with Apple?
[44:55]
Luke Jennings
Yeah, so you can register your domain and verify it with other providers. So even if you don't make use of them, you can kind of claim it.
[45:03]
Patrick Gray
And for like Apple, you could spin up like a workspace domain. Right. And just have like one user or whatever.
[45:11]
Luke Jennings
Yeah, so like that's the intention. And if you do that with say Apple, for example, you can claim that domain and as a result you can then stop people making new personal accounts on that domain. So you can kind of close off Apple as a root, for example. The difficulty is with Google, it's a little different with Google. It will then tell you if there are other personal accounts, like unmanaged accounts on that domain, so you can gain visibility of them, but you have to kind of control how it handles conflicted accounts. It's not simple, but effectively that's one way of doing it. You go and claim your domain on the other identity providers, even if you're not actively using them.
[45:49]
Patrick Gray
Yeah. Okay. And have you. I'm guessing that you would have recommended that to a bunch of clients and they've been through that process. Have they found it pretty simple? Yeah, with the exception of Google, as we said.
[46:02]
Luke Jennings
Yeah, but Google's slightly more annoying. Certainly with Apple it's very easily. And where we've done it ourselves, you know, for our own accounts too. I mean, downstream from there you can obviously go to your major apps and try and configure the authentication settings to prevent logins from other IDPs too. But obviously you're at the mercy of what the app allows and you've got a lot more apps to go and do that for, rather than just, you know, a few different idps, I guess.
[46:29]
Patrick Gray
I guess the main thing though, the takeaway from this conversation is that because most of this oauth is Apple, Google, Microsoft, like it doesn't take a whole bunch to seal this off as a viable attack path for, for, for people out there. Right. So people listening to this, at least they've got something they can do.
[46:45]
Luke Jennings
Yeah, I think really it should probably become standard practice to go and claim your domains on the other identity providers. In light of this, it'll be definitely good practice for people to do. And actually if you just want to test what your level of vulnerability is in your own organization, you can do it pretty simply without even being an admin too. You can just try and register your own account with other identity providers and see if you can log into any of your apps yourself and like you'll find out your level of vulnerability that way too. It's, it's very simple.
[47:15]
Patrick Gray
Yeah. Now is there anything that those vendors should be doing differently, I guess to prevent this from happening? I mean it's, it's important. Unless they're, they're going to restrict it with some sort of domain validation, I don't really see what else they can do. Right. And as you say, product led growth, they don't want to slow down the number of users who are, who are coming to their services. So I can't think this is going to change on their end. Right.
[47:38]
Luke Jennings
Yeah. For the identity providers, I don't know what else they can really do other than look for the account creation as looking as suspicious for other reasons. But then they've got to go and contact the owner of the domain. It's going to be some sort of manual process. It's kind of hard for them to do. I think for general SaaS application vendors though, what they can do is make it so that once you've logged in with one method, it's not easy to log in with a different method without some other step being taken. And that really does just depend on the application. Some of them do that quite well. If you log in with Google, then you can't just go and log straight in with Microsoft. But others just let you use whatever method you like unless you go and explicitly disable those things.
[48:21]
Patrick Gray
So it's really, there's always going to be that situation, isn't there, where people are going to switch between providers for their, you know, for their cloud accounts and then what? All of it breaks all of their SaaS access because I mean I did have a chance to have a bit of a noodle on this and I'm like, I can't really see how this gets fixed, to be honest. I actually, to test this on a related story, a while back, I think I made a Dropbox account with a username and password and then like, oh, from, from one Chrome profile, then went to my corp Google profile and just oauthed into it without the password. And yeah, it let me in, no problem. So it doesn't seem that these applications really care what method you use, whether it's username and password or which IDP you're using. And I can see why they do that, but I also feel like that's, yeah, not ideal, let's put it that way.
[49:12]
Luke Jennings
No, it is, yeah, for sure. And I think it almost seems like some of the biggest apps are the ones that are more vulnerable there because they've tried to make it as easy as possible.
[49:19]
Patrick Gray
Well, they're the ones who every time they make support a little bit more complicated, they make their product a little bit more complicated, their support costs go through the roof. Right. So it makes sense that the bigger services are the more difficult ones. But yeah, I just, I mean, look, again, we've got some actionable advice here, so that's great, but, you know, not every company listens to Risky Business and is and is going to see this research. So that begs the question, what's the response to this work that you've been doing? Been like so far. Like, have a lot of people, you know, have you talked to a lot of people about it? Has it generated a bit of buzz with people saying, gee, I didn't know that that was an issue?
[49:55]
Luke Jennings
Sure, yeah. I mean, we posted a couple of blog posts on it and, and sort of video demos of the attack. I got a lot of good feedback from that. I have seen like, there's even been some other people, like, sublime release of detection mails in there for the verification phishing side of it. So we've, you know, we've got like quite a lot of, you know, feedback from different people and I think most people are pretty surprised at the outcome. It seems really simple. It's only when you sort of think about it a little more that you realize the implications. So, yeah, it's been interesting response to it.
[50:28]
Patrick Gray
All right, Luke Jennings, thank you so much for joining me to talk about cross IDP impersonation. Very interesting stuff, my friend. And yeah, always great to get some actionable advice out there in the show. Cheers, thank you. That was Luke Jennings there from Push Security, rounding out this week's edition of the Risky Business podcast. I do hope you enjoyed it. That's it from Mr. Beardy Adam Guy over here and and me. But we'll be back next week with more security news and analysis. Between two nerds is coming back as well next week. Tom's had a couple of extra weeks leave, so he'll be back with the Grock next week. And so will Seriously, Risky Biz and all of that over at Risky Bulletin. But yeah, we'll catch you all next week. Bye.
[51:11]
Adam Boileau
Thanks. So.