Securing applications from vulnerabilities starts with analyzing your source code before it becomes a problem. This is where static application security testing (SAST) steps in.
The post What Is SAST? How It Works and the Best Tools appeared first on Security Boulevard.
Encryption is a powerful tool for safeguarding sensitive data, but its effectiveness hinges on proper security. Encryption keys are at the heart of any good security strategy—but without effective encryption key management, you might experience unauthorized access, data breaches, and compliance failures.
The post What Is Encryption Key Management? Importance and Best Practices appeared first on Security Boulevard.
Modern software development uses open-source components to save time and resources. But with that efficiency comes security issues. Open-source code can carry vulnerabilities or licensing issues that put your software—and the sensitive data it handles—at risk.
The post What Is Software Composition Analysis (SCA)? Tools and Benefits appeared first on Security Boulevard.
Most people are familiar with the two most common types of phishing — credential phishing and phishing payloads, where attackers trick users into revealing credentials and downloading malicious software respectively. However, there is a third type of phishing on the rise: consent phishing.
Consent phishing deceives users into granting a third-party SaaS application access to their account, enabling it to retrieve sensitive information or act on their behalf. These attacks leverage existing permissions provided by identity and OAuth providers like Google and Microsoft. For example, the Mail.ReadWrite scope on Microsoft allows a third party SaaS app to read and reply to any email on the user’s inbox.
OAuth was originally created to enhance user experience and productivity by seamlessly integrating software tools. In the past few years, OAuth has become a widely adopted authentication method due to the surge in the number of SaaS applications used in the workplace. According to SaaS Academy, most large enterprises have 450 active SaaS apps at a given time, with an average employee working with 12 to 14 applications on a daily basis. Thus, the growing demand for seamless integration and efficient workflows has made OAuth a critical tool.
Unfortunately, the very same consent capabilities have been repeatedly misused by attackers to steal confidential data, impersonate employees and distribute malware. This article will discuss the mechanisms behind consent phishing, some case studies and best practices to defend against this rising attack form. However, in order to truly understand consent phishing, it is important to first understand how OAuth works.
Understanding how OAuth WorksOAuth was created to enable users to authenticate through a single trusted Identity Provider (IDP), which can then be used by other applications to verify the user’s identity. Applications can also request permissions to perform actions on behalf of the user. These permissions, known as scopes, define the extent of the actions an application can take on the user’s behalf.
This is what a typical OAuth flow looks like:
5. Once the consent is granted, the IDP generates three tokens:
Consent phishing works very similarly to a regular OAuth authentication flow, which is why it is especially difficult for employees to identify. Typically, it involves the following steps:
Now that we understand the typical flow of a consent phishing attack, let’s look at several case studies to see how it has been used to compromise employee accounts in practice.
Case Study 1: O365/Gmail Account TakeoversThere have been several consent phishing attacks aiming to gain control of employee emails. A common tactic involves a spearphishing email mimicking a file sharing notification from OneDrive or Google Drive. Once the employee clicks on “Open” they get redirected to their IDP, requesting permissions to read and send emails on their behalf. Believing that the email came from a trusted app, employees frequently breeze through these terms. These permissions are then used by attackers to read confidential emails and send emails from this employee’s account to other employees containing further phishing links or malware. Now that these emails come from a legitimate internal address, it becomes even more difficult for other employees to recognize that they come with malicious intent.
Image Source: Microsoft [1], [2]
Case Study 2: Gitlocker AttacksEarlier this year, a spearphishing campaign from the address notifications-at-github.com sent fake job and security alerts to developers on GitHub, containing a link to one of two malicious sites: githubcareers[.]online or githubtalentcommunity[.]online. Upon arriving on these websites, the user is asked to grant the malicious app the right to access their personal information and private repos. Attackers then used these accounts to spam forums and notifications, while many victims reported losing access to their entire repository
Case Study 3: Chrome Extension AttackJust this week, Cyberhaven was reported to release a malicious version of their browser extension on Chrome Store, which were used to steal session cookies and exfiltrate sensitive information across multiple apps used by their customers. This was the result of a large-scale consent phishing attack targeting extension developers. An email mimicking Chrome Store was sent, requesting urgent action to prevent the developer’s extension from being removed from Chrome Store due to a compliance violation. This led to an OAuth page requesting permission for a Privacy Policy Extension to “edit, update or publish” the developer’s Chrome extensions. A full demo of the attack was discovered and disclosed by SquareX researchers a week before the breach.
https://medium.com/media/d9b24f87f6ef115da9257e938646d492/href
Source: SquareX
Why is consent phishing so dangerous?Unlike regular credential phishing, consent phishing is especially challenging to deal with due to several reasons.
As seen across several examples above, the consent phishing sequence closely mimics a typical SaaS authorization workflow, a process that employees frequently go through. Just like how most people don’t read the fine print on most Terms & Conditions forms, it is more likely than not that employees click through these OAuth pages without fully reading the permissions requested.
Furthermore, the regular user may not be technical enough to understand the “normal” permissions required for SaaS apps to function, especially as many legitimate applications such as Grammarly also request similar rights to these malicious apps.
2. Involves a Trusted IDP/OAuth Provider
Consent phishing leverages legitimate IDP providers such as Google and Microsoft that are generally trusted by employees. This makes it more challenging for an average user to distinguish between legitimate and malicious requests.
3. Poor Traceability
Once a user grants consent to a third party SaaS app, malicious or not, it is extremely difficult for security teams to track which apps these permissions are granted to, what these permissions are used for or to revoke these rights at the admin level. Similarly, if multiple third party apps have the same permissions, it may be challenging to track the root cause of an attack should a breach occur.
Best practices to deal with consent phishingHow then should an organization protect itself against consent phishing? Here are some best practices that we believe are critical for every organization to consider.
1. Restrict ability to grant OAuth permissions
The most deterministic way to prevent consent phishing is to prevent users from granting OAuth permissions to unauthorized SaaS apps, especially risky permissions that may involve reading sensitive information or writing, editing or publishing on the user’s account. Now a completely strict whitelist may not be realistic for most organizations, thus it is important that there is a seamless way for employees to request for exceptions and for security teams to easily review these requests in a timely manner.
SquareX’s Browser Detection and Response (BDR) solution allows security teams to do just that. Not only can they manage the OAuth workflows across the organization, the platform also allows admins to centrally grant exceptions on a one-off, time-bound or perpetual basis. Employees can even append a business reason in the exception request to avoid the painful back and forth that often impacts productivity and trust between users and the security team.
2. User education on consent phishing attacks
One key reason for the effectiveness of consent phishing attacks is the lack of awareness on how OAuth permissions can be used in a malicious way. As discussed, employees often associate IDP providers with legitimate applications and hence do not truly understand the risk of carelessly approving authentication workflows. Unfortunately, due to the nascency of these attacks, many security training programs are still focused on basic credential phishing and do not include consent phishing as part of the curriculum.
It is absolutely critical that companies raise awareness about consent phishing internally through case studies and ideally, in workflow training. For example, SquareX’s BDR enables security teams to add custom messages to policies blocking OAuth workflows in order to help users understand the risks associated with the permissions requested by their apps.
3. Regularly audit existing permissions
Last but not least, it is extremely common for a benign app to turn malicious — Cyberhaven is just one of many examples. Vendors could be hacked, or attackers may have developed a benign app on purpose to get approved by security teams before adding malicious functionality. Thus, it is critical for security teams to regularly audit the SaaS apps and permissions employees are using.
Introducing the BDRSquareX’s Browser Detection and Response (BDR) solution goes beyond just protecting against consent phishing and identity-based attacks. SquareX’s industry-first BDR solution detects, mitigates and threat-hunt client-side web attacks targeting employees in real time. The solution comes in the form of a lightweight browser extension that can be deployed to existing browsers via a simple group policy.
We believe that there are three key components required when it comes to securing the browser:
Consent Phishing: The New, Smarter Way to Phish was originally published in SquareX Labs on Medium, where people are continuing the conversation by highlighting and responding to this story.
The post Consent Phishing: The New, Smarter Way to Phish appeared first on Security Boulevard.
During our recent security assessments across multiple clients, we discovered a concerning pattern: many companies are unknowingly exposing their customers’ sensitive payment information through a simple yet critical misconfiguration in...
The post The Critical Risk of Using Dummy Email Domains in Payment Gateways appeared first on Strobes Security.
The post The Critical Risk of Using Dummy Email Domains in Payment Gateways appeared first on Security Boulevard.
Are Your Security Practices Up to the Challenge? As organizations continue to invest more heavily in cybersecurity measures, one question often arises. How can businesses justify these increased security investments, particularly when it comes to managing Non-Human Identities (NHIs) and Secrets Security? This conundrum brings to light the critical role of adopting smart NHIDR practices […]
The post Justify Your Security Investment with Smart NHIDR Practices appeared first on Entro.
The post Justify Your Security Investment with Smart NHIDR Practices appeared first on Security Boulevard.
What Does Secrets Vaulting Hold for your Business? In a world where data is the new gold, organizations are under increasing pressure to protect their resources from potential thieves. With the rise of cloud services, secrets vaulting has become a critical aspect in ensuring a secure environment. It provides the peace of mind every business […]
The post Achieve Peace of Mind with Secure Secrets Vaulting appeared first on Entro.
The post Achieve Peace of Mind with Secure Secrets Vaulting appeared first on Security Boulevard.
The post PCI DSS 4.0.1: A Comprehensive Guide to Successfully Meeting Requirements 6.4.3 and 11.6.1 appeared first on Feroot Security.
The post PCI DSS 4.0.1: A Comprehensive Guide to Successfully Meeting Requirements 6.4.3 and 11.6.1 appeared first on Security Boulevard.
Following the publication of our in-depth analysis on the National Public Data (NPD) breach last week, Constella Intelligence received several inquiries about how to safeguard against identity attacks using the exposed SSNs. The recent National Public Data (NPD) breach stands as the largest social security number (SSN) exposures in history. With 292 million individuals exposed, …
The post Best of 2024: National Public Data (NPD) Breach: Essential Guide to Protecting Your Identity appeared first on Security Boulevard.
The post PreVeil Drive in 2025: The Evolution of Flexible Enterprise Security appeared first on PreVeil.
The post PreVeil Drive in 2025: The Evolution of Flexible Enterprise Security appeared first on Security Boulevard.
Author/Presenter: Shishir Gupta
Our sincere appreciation to DEF CON, and the Authors/Presenters for publishing their erudite DEF CON 32 content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.
The post DEF CON 32 – War Games Red Team for OT Based on Real World Case Studies appeared first on Security Boulevard.
via the comic humor & dry wit of Randall Munroe, creator of XKCD
The post Randall Munroe’s XKCD ‘Lasering Incidents’ appeared first on Security Boulevard.
Our new Google Cloud server-side integration is the latest in a range of 50+ integrations that ensure DataDome stops bad bots & fraud on any infrastructure.
The post DataDome Releases Google Cloud Platform Server-Side Integration appeared first on Security Boulevard.
Have you ever heard the phrase "eat your own dog food" - roughly translating to "use your own products"?
The post Eating Your Own Dog Food appeared first on Security Boulevard.
The Digital Operational Resilience Act (DORA) is coming in 2025.
The post DORA Regulation (Digital Operational Resilience Act): A Threat Intelligence Perspective appeared first on Security Boulevard.
Authors/Presenters: Pavel Khunt & Thomas Sermpinis aka Cr0wTom
Our sincere appreciation to DEF CON, and the Authors/Presenters for publishing their erudite DEF CON 32 content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.
The post DEF CON 32 – V2GEvil: Ghost in the Wires appeared first on Security Boulevard.
In a recent podcast interview with Cybercrime Magazine's host, Charlie Osborne, Scott Schober, Cyber Expert, Author of "Hacked Again," and CEO of Berkeley Varitronics Systems, discusses the recent cyberattack on Blue Yonder, including how the incident impacted supply chains, effective steps an organization can take after a ransomware attack, and more. The podcast can be listened to in its entirety below.
The post Breaking Down The Blue Yonder Cyberattack appeared first on Security Boulevard.
In light of recent cybercrime incidents, the United States (US) Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert pertaining to a Cisco vulnerability. As per recent reports, the Cisco vulnerability prevails within the Smart Install (SMI) feature and can be exploited for access to sensitive data. In this article, we’ll explore the vulnerability […]
The post Cisco Vulnerability: CISA Alerts Of Smart Install Exploits appeared first on TuxCare.
The post Best of 2024: Cisco Vulnerability: CISA Alerts Of Smart Install Exploits appeared first on Security Boulevard.
Is Your Organization’s Trust in Cloud Technology Well-Placed? In this expanding digital landscape where businesses are heavily reliant on cloud technology, can we confidently assert that our data is safe in the cloud? Regardless of the size of your business, trust in cloud platforms should be reinforced. It is a misconception that simply shifting your […]
The post Trustworthy Cloud Platforms: Ensuring Secure Access appeared first on Entro.
The post Trustworthy Cloud Platforms: Ensuring Secure Access appeared first on Security Boulevard.
Are You Truly Harnessing the Power of NHIDR Solutions? It’s no secret that Non-Human Identities and Data Rights (NHIDR) solutions are crucial for maintaining a robust security system, particularly where cloud environments are involved. But do you fully grasp the potential that these tools can offer when it comes to empowering your team and taking […]
The post Take Control: Empowering Your Team with NHIDR Solutions appeared first on Entro.
The post Take Control: Empowering Your Team with NHIDR Solutions appeared first on Security Boulevard.
