Don't trust the link

Presented at Disobey 2023, Feb. 17, 2023, 2 p.m. (30 minutes).

A popular URL scanning tool was found to contain a trove of data from various sources leaking the metadata and contents of a link sent privately to users via email. This talk will focus on the implications of using a simple link to authenticate users or authorize them to even access sensitive information. This talk is useful for: * Defenders who use these kinds of tools to understand the possibility for an OPSEC fail. * Developers who implement authentication mechanism that include communication via email * Security community in general for good anecdotes

Presenters:

• Markus Lehtonen - CGI
  For the past six years, Markus has worked in running SOC services with a focus on cloud security and security tooling. He previously ran CGI's SOC service in Finland and is now using his interests in cloud security in consulting assignments

Links:

• https://disobey.fi/2023/profile/dont_trust_the_link

Similar Presentations:

• DEF CON 32 (2024) / Splitting the email atom: exploiting parsers to bypass access controls