Our great sponsors
-
Old school phishing is the most common MFA bypass.
Here is an example how it works:
-
That's an interesting concept.
Thinking about it for a bit, I'm sadly hesitant that it might need to be built as a browser extension or mobile app, rather than a website, because none of these services provide programmatically-accessible (even read-only) feeds of what you're looking for, so you'd need to scrape everything. This brings up two issues: 1) the headache of IP ratelimiting (and/or flat-out IP bans from trigger-happy systems optimized for fighting fraud/bots hosted on cloud infrastructure). IIUC there are proxy services that you can outsource the workaround problem to, but this is awkward to get behind in the face of 2), which is that users would need to input their actual usernames and passwords so that the service could request the account page with the details on it in order to scrape the data.
Given that these are broadly web services poked at via HTTPS, you could potentially get everything you needed from a browser extension (as long as the service doesn't require you to set any HTTP headers that extensions aren't allowed to touch).
The second possibility is using an app. Writing a thin layer that lets you craft custom HTTPS/whatever requests from a WebView would probably be the most straightforward approach.
The main issue with both the extension and app approaches is that they code-dump both the idea and methodology of "here is how to do X" into the hands of the IQ-99 skiddie group (especially with an extension). So now you have more people running around scraping pages and whatnot and trying to figure out how to weaponize everything. Probably won't go anywhere (in terms of producing actual attacks), but the noise may potentially make your life harder.
The least-complex solution seems to just be a giant boring list of links, for example:
- https://myaccount.google.com/permissions
- https://twitter.com/settings/connected_apps, https://twitter.com/settings/connected_accounts
- https://github.com/settings/apps/authorizations, https://github.com/settings/applications, https://github.com/settings/installations, https://github.com/settings/apps, https://github.com/settings/developers, https://github.com/settings/tokens
Hmm, that's kind of all over the place for some things. A single aggregate view that combines everything could definitely be very interesting...
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
That's an interesting concept.
Thinking about it for a bit, I'm sadly hesitant that it might need to be built as a browser extension or mobile app, rather than a website, because none of these services provide programmatically-accessible (even read-only) feeds of what you're looking for, so you'd need to scrape everything. This brings up two issues: 1) the headache of IP ratelimiting (and/or flat-out IP bans from trigger-happy systems optimized for fighting fraud/bots hosted on cloud infrastructure). IIUC there are proxy services that you can outsource the workaround problem to, but this is awkward to get behind in the face of 2), which is that users would need to input their actual usernames and passwords so that the service could request the account page with the details on it in order to scrape the data.
Given that these are broadly web services poked at via HTTPS, you could potentially get everything you needed from a browser extension (as long as the service doesn't require you to set any HTTP headers that extensions aren't allowed to touch).
The second possibility is using an app. Writing a thin layer that lets you craft custom HTTPS/whatever requests from a WebView would probably be the most straightforward approach.
The main issue with both the extension and app approaches is that they code-dump both the idea and methodology of "here is how to do X" into the hands of the IQ-99 skiddie group (especially with an extension). So now you have more people running around scraping pages and whatnot and trying to figure out how to weaponize everything. Probably won't go anywhere (in terms of producing actual attacks), but the noise may potentially make your life harder.
The least-complex solution seems to just be a giant boring list of links, for example:
- https://myaccount.google.com/permissions
- https://twitter.com/settings/connected_apps, https://twitter.com/settings/connected_accounts
- https://github.com/settings/apps/authorizations, https://github.com/settings/applications, https://github.com/settings/installations, https://github.com/settings/apps, https://github.com/settings/developers, https://github.com/settings/tokens
Hmm, that's kind of all over the place for some things. A single aggregate view that combines everything could definitely be very interesting...
-
That's an interesting concept.
Thinking about it for a bit, I'm sadly hesitant that it might need to be built as a browser extension or mobile app, rather than a website, because none of these services provide programmatically-accessible (even read-only) feeds of what you're looking for, so you'd need to scrape everything. This brings up two issues: 1) the headache of IP ratelimiting (and/or flat-out IP bans from trigger-happy systems optimized for fighting fraud/bots hosted on cloud infrastructure). IIUC there are proxy services that you can outsource the workaround problem to, but this is awkward to get behind in the face of 2), which is that users would need to input their actual usernames and passwords so that the service could request the account page with the details on it in order to scrape the data.
Given that these are broadly web services poked at via HTTPS, you could potentially get everything you needed from a browser extension (as long as the service doesn't require you to set any HTTP headers that extensions aren't allowed to touch).
The second possibility is using an app. Writing a thin layer that lets you craft custom HTTPS/whatever requests from a WebView would probably be the most straightforward approach.
The main issue with both the extension and app approaches is that they code-dump both the idea and methodology of "here is how to do X" into the hands of the IQ-99 skiddie group (especially with an extension). So now you have more people running around scraping pages and whatnot and trying to figure out how to weaponize everything. Probably won't go anywhere (in terms of producing actual attacks), but the noise may potentially make your life harder.
The least-complex solution seems to just be a giant boring list of links, for example:
- https://myaccount.google.com/permissions
- https://twitter.com/settings/connected_apps, https://twitter.com/settings/connected_accounts
- https://github.com/settings/apps/authorizations, https://github.com/settings/applications, https://github.com/settings/installations, https://github.com/settings/apps, https://github.com/settings/developers, https://github.com/settings/tokens
Hmm, that's kind of all over the place for some things. A single aggregate view that combines everything could definitely be very interesting...
-
That's an interesting concept.
Thinking about it for a bit, I'm sadly hesitant that it might need to be built as a browser extension or mobile app, rather than a website, because none of these services provide programmatically-accessible (even read-only) feeds of what you're looking for, so you'd need to scrape everything. This brings up two issues: 1) the headache of IP ratelimiting (and/or flat-out IP bans from trigger-happy systems optimized for fighting fraud/bots hosted on cloud infrastructure). IIUC there are proxy services that you can outsource the workaround problem to, but this is awkward to get behind in the face of 2), which is that users would need to input their actual usernames and passwords so that the service could request the account page with the details on it in order to scrape the data.
Given that these are broadly web services poked at via HTTPS, you could potentially get everything you needed from a browser extension (as long as the service doesn't require you to set any HTTP headers that extensions aren't allowed to touch).
The second possibility is using an app. Writing a thin layer that lets you craft custom HTTPS/whatever requests from a WebView would probably be the most straightforward approach.
The main issue with both the extension and app approaches is that they code-dump both the idea and methodology of "here is how to do X" into the hands of the IQ-99 skiddie group (especially with an extension). So now you have more people running around scraping pages and whatnot and trying to figure out how to weaponize everything. Probably won't go anywhere (in terms of producing actual attacks), but the noise may potentially make your life harder.
The least-complex solution seems to just be a giant boring list of links, for example:
- https://myaccount.google.com/permissions
- https://twitter.com/settings/connected_apps, https://twitter.com/settings/connected_accounts
- https://github.com/settings/apps/authorizations, https://github.com/settings/applications, https://github.com/settings/installations, https://github.com/settings/apps, https://github.com/settings/developers, https://github.com/settings/tokens
Hmm, that's kind of all over the place for some things. A single aggregate view that combines everything could definitely be very interesting...
-
That's an interesting concept.
Thinking about it for a bit, I'm sadly hesitant that it might need to be built as a browser extension or mobile app, rather than a website, because none of these services provide programmatically-accessible (even read-only) feeds of what you're looking for, so you'd need to scrape everything. This brings up two issues: 1) the headache of IP ratelimiting (and/or flat-out IP bans from trigger-happy systems optimized for fighting fraud/bots hosted on cloud infrastructure). IIUC there are proxy services that you can outsource the workaround problem to, but this is awkward to get behind in the face of 2), which is that users would need to input their actual usernames and passwords so that the service could request the account page with the details on it in order to scrape the data.
Given that these are broadly web services poked at via HTTPS, you could potentially get everything you needed from a browser extension (as long as the service doesn't require you to set any HTTP headers that extensions aren't allowed to touch).
The second possibility is using an app. Writing a thin layer that lets you craft custom HTTPS/whatever requests from a WebView would probably be the most straightforward approach.
The main issue with both the extension and app approaches is that they code-dump both the idea and methodology of "here is how to do X" into the hands of the IQ-99 skiddie group (especially with an extension). So now you have more people running around scraping pages and whatnot and trying to figure out how to weaponize everything. Probably won't go anywhere (in terms of producing actual attacks), but the noise may potentially make your life harder.
The least-complex solution seems to just be a giant boring list of links, for example:
- https://myaccount.google.com/permissions
- https://twitter.com/settings/connected_apps, https://twitter.com/settings/connected_accounts
- https://github.com/settings/apps/authorizations, https://github.com/settings/applications, https://github.com/settings/installations, https://github.com/settings/apps, https://github.com/settings/developers, https://github.com/settings/tokens
Hmm, that's kind of all over the place for some things. A single aggregate view that combines everything could definitely be very interesting...
-
This 100%. I had the same thing happen to me (even though I have 2FA everywhere):
https://github.com/Niek/Niek/blob/master/facebook-scam/READM...
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.