Dave Troy @davetroy

3 posts3 participants0 posts today

**Neil Madden** @neilmadden@infosec.exchange · 1d *

Neil Madden @neilmadden@infosec.exchange

Interesting open letter from the CISO at JP Morgan Chase, calling out insecure SaaS integrations, and specifically lots of implicit/explicit criticism of #OAuth: poorly secured and broadly scoped long-lived bearer tokens are not a great idea. Hopefully we’ll see PoP (with keys in a KMS) becoming more widespread for these kinds of integrations.

(The letter is undated but I assume it’s recent - via @ladynerd on LinkedIn).

https://www.jpmorgan.com/technology/technology-blog/open-letter-to-our-suppliers

www.jpmorgan.comAn Open Letter to Third-Party SuppliersLearn more about J.P. Morgan's products and services.

**The New Oil** @thenewoil@mastodon.thenewoil.org · 6d

The New Oil @thenewoil@mastodon.thenewoil.org

Hackers abuse #OAuth 2.0 workflows to hijack #Microsoft365 accounts

https://www.bleepingcomputer.com/news/security/hackers-abuse-oauth-20-workflows-to-hijack-microsoft-365-accounts/

#cybersecurity #Microsoft

**Maarten Balliauw** @maartenballiauw@mastodon.online · 6d

Maarten Balliauw @maartenballiauw@mastodon.online

Just did a big rewrite of a docs page on dynamic identity providers in Duende #identityserver.

That was fun to dive in, and makes me appreciate the thought put in to designing both #aspnetcore and IdentityServer itself.

https://docs.duendesoftware.com/identityserver/ui/login/dynamicproviders/

#dotnet #security #oauth

(also big thanks to @khalidabuhakmeh for the fantastic preview images on new docs pages)

Duende Software DocsDynamic ProvidersDocumentation for IdentityServer's Dynamic Identity Providers feature, which enables configuring external authentication providers from a store at runtime without performance penalties or application recompilation.

**The New Oil** @thenewoil@mastodon.thenewoil.org · Apr 22

Apr 22

The New Oil @thenewoil@mastodon.thenewoil.org

#Phishers abuse #Google #OAuth to spoof Google in #DKIM replay attack

https://www.bleepingcomputer.com/news/security/phishers-abuse-google-oauth-to-spoof-google-in-dkim-replay-attack/

#cybersecurity

**Efani** @Efani@infosec.exchange · Apr 21

Apr 21

Efani @Efani@infosec.exchange

Phishers have found a clever way to spoof Google — and their emails pass all security checks.

A new DKIM replay phishing attack abuses Google’s own OAuth infrastructure to send fake messages that look 100% legitimate, including passing DKIM authentication.

What happened:
- A phishing email was sent from “no-reply@google.com”
- It appeared in the user’s inbox alongside real Google security alerts
- The message linked to a fake support portal hosted on sites[dot]google[dot]com — a Google-owned domain
- The attacker used Google OAuth to trigger a real security alert to their inbox, then forwarded it to victims

Why this matters:
- DKIM only verifies the headers, not the envelope — allowing this spoof to work
- The phishing site was nearly indistinguishable from Google’s actual login portal
- Because the message was signed by Google and hosted on a Google domain, it bypassed most users’ suspicions
- Similar tricks have been used with PayPal and other platforms, raising broader concerns

Google has since acknowledged the issue and is working on a fix. But this attack is a reminder:

Even the most secure-looking emails can be fraudulent.
Even Google-signed emails can be weaponized.

At @Efani, we advocate for layered defense — because no one layer is ever enough.

#Cybersecurity #Phishing #Google

**ResearchBuzz: Firehose** @researchbuzz_firehose@rbfirehose.com · Apr 21

Apr 21

ResearchBuzz: Firehose @researchbuzz_firehose@rbfirehose.com

Bleeping Computer: Phishers abuse Google OAuth to spoof Google in DKIM replay attack. “In a rather clever attack, hackers leveraged a weakness that allowed them to send a fake email that seemed delivered from Google’s systems, passing all verifications but pointing to a fraudulent page that collected logins. The attacker leveraged Google’s infrastructure to trick recipients into accessing […]

https://rbfirehose.com/2025/04/21/bleeping-computer-phishers-abuse-google-oauth-to-spoof-google-in-dkim-replay-attack/

#email #emailspoofing #google

**damienbod** @damienbod@mastodon.social · Apr 21

Apr 21

damienbod @damienbod@mastodon.social

Blogged: Implement client assertions for OAuth client credential flows in ASP.NET Core

https://damienbod.com/2025/04/21/implement-client-assertions-for-oauth-client-credential-flows-in-asp-net-core/

#aspnetcore #dotnet #oauth

**tim** @timcappalli@infosec.exchange · Apr 16

Apr 16

tim @timcappalli@infosec.exchange

Huge 9.0 release for node-oidc-provider!

Awesome to see #DPoP enabled by default.

https://github.com/panva/node-oidc-provider/releases/tag/v9.0.0

GitHubRelease v9.0.0 · panva/node-oidc-provider⚠ BREAKING CHANGES authorization and logout endpoints no longer support the HTTP POST method by default, this can be re-enabled using the enableHttpPostMethods boolean configuration, this also req...

#OIDC #OAuth #NodeJS

Replied in thread

**Erik Play2Learn** @fallbackerik@mastodon.social · Apr 15

Apr 15

Erik Play2Learn @fallbackerik@mastodon.social

@elmiko in my python tests #GeminiAI has been pretty good. So galang doesn't worry me that much. Interestingly multiple AIs struggle with #oauth, eg also #lovable .

There aren't even free standing computers and library employees not respecting documentation standards pisses me off. So i have to check now if another library has a free computer. It's already the second library. In the first ive got #hausverbot because I dont want to be #homeless anymore, see other thread on this masto account.

Replied in thread

**Erik Play2Learn** @fallbackerik@mastodon.social · Apr 2

Apr 2

Erik Play2Learn @fallbackerik@mastodon.social

@netzpolitik_feed Haben die @EUCommission Kollegen schon mal von #oauth gehört? Ein großer Teil der Anfrage-Verwaltung ist damit technisch schon gelöst.

**Emelia** @thisismissem.bsky.social@bsky.brid.gy · Mar 30

Mar 30

Emelia @thisismissem.bsky.social@bsky.brid.gy

Spent the past hour doing some updates to the Client ID Metadata Documents internet draft. Trying to find alignment with the Client ID Prefix internet draft and fix a few open issues. #ietf #oauth

Bluesky SocialBluesky

**damienbod** @damienbod@mastodon.social · Mar 25

Mar 25

damienbod @damienbod@mastodon.social

Blogged: ASP.NET Core delegated Microsoft OBO access token management (Entra only)

https://damienbod.com/2025/03/25/asp-net-core-delegated-microsoft-obo-access-token-management-entra-only/

Software Engineering · Mar 25ASP.NET Core delegated Microsoft OBO access token management (Entra only)This blog shows how to implement a delegated Microsoft On-Behalf-Of flow in ASP.NET Core, and has a focus on access token management. The solution uses Microsoft.Identity.Web to implement the diffe…

#aspnetcore #dotnet #micrsoftidentity

Continued thread

**Jörn Franke** @jornfranke@mastodon.online · Mar 24

Mar 24

Jörn Franke @jornfranke@mastodon.online

Check your programming frameworks. For example, this is currently only planned in the upcoming major Version of the Spring framework https://github.com/spring-projects/spring-security/issues/16391

At least for the Rust crate openidconnect-rs this is included in the default example: https://docs.rs/openidconnect/latest/openidconnect/

GitHubConsider Enabling PKCE for Authorization Code by Default · Issue #16391 · spring-projects/spring-securityBy rwinch

#oauth #oauth2_1 #spring

**Jörn Franke** @jornfranke@mastodon.online · Mar 24 *

Mar 24 *

Jörn Franke @jornfranke@mastodon.online

browsing the specs of OAuth 2.1 and found that PKCE is now mandatory for Authorization Code Flow (not only Desktops or frontend-only apps!):
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12

"The authorization code grant is extended with the functionality from PKCE [RFC7636] such that the default method of using the authorization code grant according to this specification requires the addition of the PKCE parameters"

IETF DatatrackerThe OAuth 2.1 Authorization FrameworkThe OAuth 2.1 authorization framework enables an application to obtain limited access to a protected resource, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and an authorization service, or by allowing the application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 2.0 Authorization Framework described in RFC 6749 and the Bearer Token Usage in RFC 6750.

#oauth #oauth2_1 #pkce

**Khalid Pro Max️- Tarrifed** @khalidabuhakmeh@mastodon.social · Mar 19

Mar 19

Khalid Pro Max️- Tarrifed @khalidabuhakmeh@mastodon.social

I got #Duende IdentityServer #OAuth working inside an @avaloniaui app. It's pretty easy, thanks to the Duende.IdentityModel package and the browser abstraction. #dotnet

An Avalonia app showing a Duende Login screen and then a logged-in view showing that the user is now Alice Smith. Hooray!

**The New Oil** @thenewoil@mastodon.thenewoil.org · Mar 17

Mar 17

The New Oil @thenewoil@mastodon.thenewoil.org

Fake "Security Alert" issues on #GitHub use #OAuth app to hijack accounts

https://www.bleepingcomputer.com/news/security/fake-security-alert-issues-on-github-use-oauth-app-to-hijack-accounts/

BleepingComputerFake "Security Alert" issues on GitHub use OAuth app to hijack accountsA widespread phishing campaign has targeted nearly 12,000 GitHub repositories with fake "Security Alert" issues, tricking developers into authorizing a malicious OAuth app that grants attackers full control over their accounts and code.

#cybersecurity

**The New Oil** @thenewoil@mastodon.thenewoil.org · Mar 17

Mar 17

The New Oil @thenewoil@mastodon.thenewoil.org

Malicious #Adobe, #DocuSign #OAuth apps target #Microsoft365 accounts

https://www.bleepingcomputer.com/news/security/malicious-adobe-docusign-oauth-apps-target-microsoft-365-accounts/

BleepingComputer · Mar 16Malicious Adobe, DocuSign OAuth apps target Microsoft 365 accountsBy Bill Toulas

#cybersecurity #Microsoft

**skry** @skry@mastodon.social · Mar 17

Mar 17

skry @skry@mastodon.social

#GitHub Alert hijack attack https://www.bleepingcomputer.com/news/security/fake-security-alert-issues-on-github-use-oauth-app-to-hijack-accounts/
#infosec #dev #webdev #oauth

**LavX News** @lavxnews@mastodon.cloud · Mar 16

Mar 16

LavX News @lavxnews@mastodon.cloud

Tinyauth: Simplifying Authentication for Docker Apps with Ease

Introducing Tinyauth, a lightweight authentication middleware designed for Docker applications that streamlines the integration of login features. With support for OAuth providers like Google and GitH...

https://news.lavx.hu/article/tinyauth-simplifying-authentication-for-docker-apps-with-ease