Public
- Public
- Network
- Groups
- Featured
- Popular
- People

Conversation

Notices

Embed this notice
Jan Wildeboer 😷:krulorange: (jwildeboer@social.wildeboer.net)'s status on Wednesday, 15-Jan-2025 05:05:28 JST Jan Wildeboer 😷:krulorange:

#Oops. "Login with Google" can be abused if you buy a domain name that formerly had accounts, e.g. from a failed startup.
"At the time of writing, there is no fix."
https://trufflesecurity.com/blog/millions-at-risk-due-to-google-s-oauth-flaw
In conversation about 16 days ago from social.wildeboer.net permalink
Attachments
1. Domain not in remote thumbnail source whitelist: framerusercontent.com
  
  Millions of Accounts Vulnerable due to Google’s OAuth Flaw ◆ Truffle Security Co.
  
  Millions of Americans can have their data stolen right now because of a deficiency in Google’s “Sign in with Google” authentication flow. If you’ve worked for a startup in the past - especially one that has since shut down - you might be vulnerable.
- Embed this notice
  Chris (cy@chaos.social)'s status on Wednesday, 15-Jan-2025 05:17:43 JST Chris
  in reply to
  
  @jwildeboer same for buying old domains where the email has been used too register an account without SSO, and can still be used to reset the password, what’s new?
  aside of the fact that lots of services do not allow your sso provider to be changed
  
  In conversation about 16 days ago permalink

Feeds