one time as a kid, my dad told me about some old research he'd read he said, maybe asian kids are better at math because they just try 50% longer

i like the way he ends he says, here at two sigma, we value learning and studying then he goes, if you ask me something or tell me something, where either of us learns anything, i'll give you some two sigma swag unsurprisingly, it's a deck of cards

@BlackHatEvents he similarly warns of oauth tokens "those things live forever"

this is pretty much where i've landed too

@BlackHatEvents even in the more granular api mechanisms of google workspaces, he notes that the access controls do not effect first-party google apps first-party google apps is where his not-google app shows up

Three months of confusion. One revelation: God was listening the whole time. Get the rest of the story on my page.

this vector has much of the same durability as the one i posted again, in the authorization layer, oauth tokens are post authentication he too notes that in the event of account compromise, password resets have no effect at all nor do traditional recovery mechanisms generally

after he tracks down the decoded string, he also finds it referenced in a listserv the post is by a co-author of many oauth specs, including RFC 8252, the oauth spec in question he has nothing nice to say

it was real

Limited time. Lasting impression.

@BlackHatEvents it was hard for me to believe, and i did go look at it myself

@twosigma "i don't know how many of you have ever been involved in developing a secure message passing or credential storage system" "i don't know if you've ever thought, you know where we should put that? put it in the browser title bar" "it's easy for me to make a joke in hindsight"

@BlackHatEvents in his research into google's oauth, he notices some weird string he decodes it and searches the documentation it says, google's authorization server should return the authorization code *in the browser's title bar*

"if you tell your users to look for [an authorization to a third-party app], they're not going to find it"

Pleasure that envelops you. Pleasure you've never felt before. TENGA FLIP 360 🛸

@twosigma @BlackHatEvents it's unrelated to the vector i posted, other than it's also oauth it's more facile, requiring explicit consent, albeit from a first-party google service to another first-party google service the trick is, it's not google it's a third-party impersonating google, and succeeding

this is brian smith-sweeney, he heads up infosec risk at two sigma he gave a talk at black hat back in 2023 two years prior, in 2021, he'd accidentally discovered a new vulnerability in google's oauth he stresses the attack vector is not limited to google

@Casshibra he was the superior lobotomist https://t.co/We8JIK2uNq

you can just break things

On of my favorite quotes from https://t.co/6zu6VAwlw1 is "The easiest way into any home network is through the TV." It seems that threat has been exploited on an international scale.

@melissa This is the safest approach regardless of what Google does. If you cannot trust the hardware then there's nothing to stop its manufacturers from simply using your TV as a computer. There is no authentication protocol that can prevent that.

@Michelgrabowy @ADioumaev @melissa don't assume the TV is not connected. ANy snippet of code can cause it to connect. ever accidentally had that setting on your phone where it always looks for a wifi network? (carriers like to default that one during upgrades to save data packets transiting the cell network) the

you can just do things btw please do not let a corporation have root access to your home

@melissa ancient technique of smart tv acupuncture, wise