OAuth Device Code Phishing: Azure vs. Google Compared

Azure can yield very powerful tokens while Google limits scopes, reducing the blast radius. Register for Huntress Labs' Live Hack to see live Microsoft 365 attack demos, explore defensive tactics, and ...
Bleeping Computer

GitHub Actions artifacts found leaking auth tokens in popular projects

Multiple high-profile open-source projects, including those from Google, Microsoft, AWS, and Red Hat, were found to leak GitHub authentication tokens through GitHub Actions artifacts in CI/CD ...
PC World

Android one-click Google authentication method puts users, businesses at risk

A feature that allows Android users to authenticate themselves on Google websites without having to enter their account password can be abused by rogue apps to give attackers access to Google accounts ...
Lifehacker

Two-Step Text Authentication Isn't Enough to Keep Your Accounts Secure

Just last week, Instagram confirmed reports that it’s modifying its account security setup to allow users to log in with passcodes from security apps, like Google Authenticator, instead of simpler ...
IT News For Australia Business

Actor auth tokens gave Global Admin access across Azure Entra ID tenants

A Dutch security researcher has published an indepth analysis of a critical vulnerability that could have allowed attackers to compromise every Microsoft Entra ID tenant worldwide through a ...
Ars Technica

Microsoft Teams stores cleartext auth tokens, won’t be quickly patched

This is a known issue with OAuth and is how basically any electron app works. The tl;dr is if you're able to steal files "as the user" it's already game over. This is no different than stealing ...