By Owais Sultan
The US Securities and Exchange Commission (SEC) is currently reviewing applications from several institutions for a spot Bitcoin…
This is a post from HackRead.com Read the original post: Exploring the Potential Impact of a Bitcoin Spot ETF Approval

The US Securities and Exchange Commission (SEC) is currently **reviewing** applications from several institutions for a spot Bitcoin ETF. The large financial companies to file for a spot ETF include BlackRock, 21 Shares & ARK Investment Management, VanEck, Invesco & Galaxy Digital, Valkyrie, Fidelity Investments and WisdomTree.

The potential approval of a Bitcoin spot ETF has increased investor certainty around BTC and sparked excitement about the looming possibility of a flood of investments pouring into the original cryptocurrency. This article will explore the latest Bitcoin news and the impact of a spot Bitcoin ETF approval.

**The Pathway to Institutional Adoption**

The crypto space has been buzzing ever since the largest asset manager in the world, BlackRock, **filed** an application with the SEC for a Bitcoin spot ETF two months ago to launch the iShares Bitcoin Trust. Larry Fink, CEO of BlackRock, told viewers of the Fox Business program that “The role of crypto is digitizing gold.”

Fink spoke about Bitcoin’s utility as a store of value, comparable to gold. He said, “Instead of investing in gold as a hedge against inflation, \[or\] a hedge against the onerous problems of any one country, or the devaluation of your currency of whatever country you’re in. Let’s be clear, Bitcoin is an international asset. It’s not based on any one currency, so it can represent an asset that people can play as an alternative.”

BlackRock hopes to continue its good track record for working with regulators, as all but one of its previous 576 ETF applications have been approved.

**The Possibility of a Spot Bitcoin ETF Has Profound Implications**

**Mike Novogratz**, the founder and CEO of Galaxy Digital, joined Bloomberg Wealth to discuss the validity of Bitcoin in light of the conversion of earlier critics like Larry Fink. 

According to Novogratz, the biggest thing to happen to Bitcoin this year was Larry Fink changing his position on Bitcoin. “For the CEO of the largest asset manager in the world,” Novogratz said, “this has profound implications.” 

When asked if a spot Bitcoin ETF is a big change for the industry, Novogratz referenced the preponderance of the evidence of some 180 million people around the world that are investing their savings and storing them in Bitcoin.

“It’s a big, big deal,” Novogratz told shareholders during Galaxy’s Q2 earnings call on August 8. “It’s a big deal because both our contacts, from the Invesco side and from the BlackRock side, get you to think that this is a question of when not if — that the outside window is probably six months.”

**Bitcoin at an Inflection Point: A Changing Regulatory Environment**

**Michael Saylor**, Co-founder and Executive Chairman of MicroStrategy joined Natalie Brunell on the Coin Stories Podcast to talk about the “Groundswell of positive sentiment for Bitcoin.” The consummate Bitcoin maximalist referenced several factors for the reason he has “never been more bullish” about BTC’s future.

According to Saylor, the endorsement of Bitcoin by US presidential candidates — both Ron DeSantis and Robert F. Kennedy, Jr. have emphatically supported citizens’ right to own Bitcoin in recent months, the changing regulatory environment, and the tone and treatment of BTC in the mainstream media are contributing to an overwhelmingly positive outlook for the king of crypto.

As the deadlines approach for the SEC to make a decision on the multiple ETFs, it is more important than ever for investors and traders to monitor the latest **Bitcoin news** in the coming days and weeks to see how it will all play out.

Exploring the Potential Impact of a Bitcoin Spot ETF Approval

## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-gjvc-55fw-v6vq. This link is maintained to preserve external references.

## Original Description
Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallabag prior to 2.6.3.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-gvvx-fc6p-2h9x

**Duplicate Advisory: Wallabag user can delete own API client unintentionally**

Moderate severity GitHub Reviewed Published Aug 21, 2023 to the GitHub Advisory Database • Updated Aug 21, 2023

Withdrawn This advisory was withdrawn on Aug 21, 2023

**Package**

composer wallabag/wallabag (Composer)

**Affected versions**

\>= 2.0.0-alpha.1, <= 2.6.2

**Description**

Published to the GitHub Advisory Database

Aug 21, 2023

Last updated

Aug 21, 2023

GHSA-gvvx-fc6p-2h9x: Duplicate Advisory: Wallabag user can delete own API client unintentionally

## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-p8gp-899c-jvq9. This link is maintained to preserve external references.

## Original Description
Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallabag prior to 2.6.3.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-rwpg-4c4c-v3r4

**Duplicate Advisory: Wallabag user can reset data unintentionally**

Moderate severity GitHub Reviewed Published Aug 21, 2023 to the GitHub Advisory Database • Updated Aug 21, 2023

Withdrawn This advisory was withdrawn on Aug 21, 2023

**Package**

composer wallabag/wallabag (Composer)

**Affected versions**

\>= 2.0.0-alpha.1, <= 2.6.2

**Description**

Published to the GitHub Advisory Database

Aug 21, 2023

Last updated

Aug 21, 2023

GHSA-rwpg-4c4c-v3r4: Duplicate Advisory: Wallabag user can reset data unintentionally

Telehealth companies that provide abortion pills are surging in popularity. Which are as safe as they claim to be?

A new class of health care startups has emerged in response to the US Supreme Court’s decision to overturn the federal right to abortion last year. These “digital abortion clinics” connect patients with health care providers who are able to prescribe mifepristone and misoprostol, a course of care commonly described as the “abortion pill.”

These services, many of which were founded before _Dobbs v. Jackson_, are poised to eliminate a major paradox in the field of reproductive health: Medication abortion is currently the most common way to terminate a pregnancy, yet only 1 in 4 adults are familiar with it, according to a recent study by KFF.

These clinics operate in different ways—some provide live video visits with doctors and nurse practitioners, while others offer asynchronous counseling—but many have experienced a record number of patient orders (and increased VC funding) over the past year. According to Elisa Wells, cofounder of the nonprofit Plan C, their appeal is straightforward. “Their pricing is quite affordable, and there’s convenience in placing an order and getting pills delivered to your mailbox in three to four days,” she says.

Recent data suggests that telehealth clinics have been effective in expanding access to abortion care, especially for people living in remote areas or in states where the procedure has been criminalized, a finding that Wells’ team corroborates. Thanks to a new series of “shield laws” protecting clinicians from out-of-state prosecution—passed in 12 states, including New York, Maryland, and Illinois—these clinics are positioned to expand their reach even further.

Following the lead of other companies in the femtech space (a category that includes everything from kegel trainers to period-tracking apps), leaders at digital abortion clinics like Hey Jane and Choix have publicly expressed their commitment to users’ privacy as they grow. In a recent interview with _Vogue_, Hey Jane cofounder Kiki Freedman said that the service is “HIPAA-compliant and encrypted.” In an interview with _Ms_. magazine this January, a representative from Choix highlighted its “HIPAA-compliant texting platform,” while another interviewee suggested that “most telehealth providers are not checking IP addresses.” (Read more about how HIPAA actually works here.)

A common belief about virtual clinics is that they offer more discretion than their brick-and-mortar counterparts. “There’s definitely a privacy factor—these sites don’t ask a lot of questions,” says Wells. In a 2020 study of over 6,000 abortion seekers, 39 percent reported choosing a telemedicine option specifically to preserve their privacy. While some providers’ intentions seem genuine, privacy experts have pointed out that their services may not be as secure as users expect them to be (even if they are compliant with US law).

This July, a team of researchers at the Markup reported that Hey Jane’s site passed along user information to Meta and Google, the world’s largest digital advertisers. While providers may not restrict access via IP addresses, our analysis found that most providers readily collected them. For telehealth abortion clinics, HIPAA compliance is just one part of the puzzle.

So which virtual abortion clinics take users’ privacy seriously, and which do not? How can users approach these services with safety in mind? Does HIPAA protect all information sent to telehealth providers? To find out, we teamed up with experts to analyze the privacy policies of five popular abortion-by-mail providers: Wisp, Choix, Hey Jane, Carafem, and Aid Access.

While the American Bar Association reported in April that “high-tech tactics” (like sending court orders to femtech apps) have not been used to successfully convict abortion seekers, prosecutors have used women’s text messages and search histories as evidence in a number of abortion-related cases. Because of this precedent, users should proceed with caution when handing their personal information over to telehealth providers. It’s not uncommon for vulnerable data to end up in the hands of third-party brokers who compile digital profiles of users before selling their information to the highest bidder. Michele Gilman, professor of law at the University of Baltimore, says: “Reproductive health data is being sold and transported into a much larger system.”

To make matters worse, the absence of a comprehensive federal privacy law, like the EU’s General Data Protection Regulation (GDPR), leaves the burden of evaluating privacy policies to individual users. Considering that these policies have gotten longer and more difficult to decipher in recent years, this is a serious burden. For our evaluation, we consulted frameworks from the University of Texas at Austin’s Privacy Lab and the Digital Standard to arrive at four core factors.

Here’s what we found:

Created with Datawrapper

Data Collection (PII)

The GDPR’s American cousin, the California Consumer Privacy Act (CCPA) has inspired proposed state legislation that supports greater protections for a specific category of data—personally identifiable information. While PII is broadly defined, Google interprets it as including email address, full name, precise location, phone number, and mailing address.

The safest websites to use won’t collect your PII at all, but offering a mailing address to a virtual clinic is a matter of necessity here. In this context, it’s helpful to distinguish between companies that use your personal information to provide essential services and those that share this information with third parties. Austria-based nonprofit Aid Access fared the best in this category, encouraging users to access the service with virtual anonymity in its policy. Wisp fared particularly poorly here, citing its ability to send specific geolocation data to advertisers.

The majority of providers we analyzed categorize email addresses and the like as “personal information,” which is only protected by HIPAA if it’s stored alongside medical information. This makes it difficult to judge whether it’s being used appropriately.

_**Low Risk:** PII is not recorded, **Some Risk**: PII is used for intended service, **High Risk:** PII is used by third parties_

Law Enforcement

According to bioethics expert Sharona Hoffman, there’s a common misconception that HIPPA protects your medical information from being shared outside of your doctor’s office. The reality, she says, is that “HIPAA isn’t that protective. Consumers need to know that HIPAA has exceptions for law enforcement and public health.”

While the law provides safeguards for a particular subset of information (personal health information), it doesn’t cover all of the information you provide to a telehealth service. Even if it did apply, the rule _allows_ (but does not _require_) health care providers to expose PHI when presented with a search warrant or other legal document. While providers could technically refuse these requests, most don’t. “It’s easier to comply rather than involve your medical office in litigation,” says Gilman.

Aid Access is a notable exception and has a track record of standing up to law enforcement (it even sued the US Food and Drug Administration last year.) When examining privacy policies, UT’s Privacy Lab recommends looking at companies’ willingness to hand over any data in the absence of a warrant or other legal document. Neither Carafem, Wisp, Hey Jane, nor Choix specify that they would require a warrant before sending information to government agencies or other legal entities.

_**Low Risk:** PII is not recorded, **Some Risk:** Legal documents are required to comply with law enforcement, **High Risk:** Legal documents are not required to comply with law enforcement_

Data Control (Deletion)

Sites that offer users more control over their data can deliver better privacy than those that don’t. While low-risk sites will allow you to delete and edit your information freely, some medical information that users provide to virtual clinics will still be out of reach. This is due to state-specific medical record retention laws, which can require health care entities to retain some records for up to 25 years.

Examining how much control companies give users over other information is a better proxy for understanding their general safety. While most of the providers we analyzed included data deletion protocols in their privacy policies, Choix and Hey Jane’s do not. In addition, the latter confirms that it retains data for an unspecified (“reasonable”) period of time.

While Wisp does offer a deletion protocol, it admits that requests can be refused for a variety of reasons, including “exercising free speech” and “internal and lawful uses” on behalf of itself or its affiliates. In addition to responding to requests, privacy-forward organizations will also proactively delete sensitive information, something Carafem does. However, Carafem does not specify a timeline or provide a general deletion request protocol. By contrast, Aid Access allows users to file deletion requests at will for most information.

_**Low Risk:** Users can edit or delete data, **Some Risk:** Users can edit data, **High Risk:** Users cannot edit or delete data_

Third-Party Sharing (Ads and Marketing)

Research scientist and privacy expert Razieh Nokhbeh Zaeem calls personally identifiable information the “currency of the internet” because of the myriad ways individualized data is collected, bought, and sold across industries. While almost all websites work with third parties in some way, telehealth companies should not sell or share your information with advertisers—but many do, as evidenced by Betterhelp’s recent settlement with the Federal Trade Commission.

If a company is collecting sensitive information and using it to market products and services to you, that presents some risk. If a company shares this information with _other_ companies to support _their_ marketing efforts, it’s a major red flag. As the Markup rightly points out in its privacy policy guide, mentions of “personalization” and “improving services” in these documents usually equate to ad tracking.

According to its privacy policy, Hey Jane uses personal data (and PII) to market its own services (“inform you about products”), while Carafem, Wisp, and Choix reserve the right to pass along information to third-party marketing partners. Choix’s policy claims that it “will never sell your data for third-party marketing purpose\[s\]” in one section but reserves the right to disclose data to its affiliates for “marketing” purposes in another.

Rather than limiting or removing the third-party trackers installed on their sites, some providers recommend that users generally opt out of cookie-based advertising within their policies, a strategy that is far from foolproof.

_**Low Risk:** PII is not used for marketing or advertising, **Some Risk:** PII is used for marketing/advertising, **High Risk:** PII shared with third parties for marketing/advertising_

The Bottom Line

In a post-_Roe_ America, virtual abortion clinics provide an essential service, especially for people living in states that criminalize care. Early indicators have shown that they increase access to safe and effective abortion medications, but they don’t offer as much privacy as users are led to believe. With the exception of Aid Access, all of the providers we analyzed have a long way to go when it comes to protecting users’ privacy and earning their trust.

To manage risk when approaching these services (and accessing other information about abortion in hostile states), educators at the Digital Defense Fund recommend reducing your footprint by using privacy-forward search engines like DuckDuckGo, creating temporary email accounts for abortion care, and turning off location tracking on all of your devices.

While engaging in defensive tactics like these are practically useful, legal scholars like Gilman suggest that the reproductive justice movement will advance only when federal and state governments no longer rely on an outdated “notice and consent” paradigm for data privacy. “We need _meaningful_ consent in the reproductive health space,” says Gilman. “Privacy policies today are more like adhesion contracts—suggesting that users ‘take it or leave it.’ It’s not realistic or fair to tell people they can’t engage with technology if they want to protect their privacy.”

Gilman recommends advocating at the state level for better privacy standards, especially if your representatives are considering new legislation. She also encourages people to demand increased protections from private companies, many of which are more flush with the “currency of the internet” than they would have us believe.

The Most Popular Digital Abortion Clinics, Ranked by Data Privacy

By Owais Sultan
Estonia’s Tallinn, renowned for its medieval aesthetic, is not typically the first name one considers when reflecting upon…
This is a post from HackRead.com Read the original post: Payoro: A Glimmer of Disruption in the Banking Sector

Estonia’s Tallinn, renowned for its medieval aesthetic, is not typically the first name one considers when reflecting upon global financial hubs. However, it would be a grave oversight to disregard the burgeoning fintech scene germinating in its cobbled lanes. The city, already celebrated as the cradle of Skype, now embraces its next tech contender: Payoro.

Since its inception in 2020, Payoro has sought to redefine the conventional banking landscape with its Banking-as-a-Service (BaaS) model. The startup’s proposition is eloquently simple: deliver hassle-free IBAN account openings to private individuals in the EU/EEA.

However, its implications in a market bogged down by red tape are profound. By ensuring that the traditionally painstaking account opening process, after mandatory KYC and AML checks, becomes straightforward, Payoro heralds a new era of consumer-centric banking in Europe.

BaaS (not Backend-as-a-Service in this case), although a contemporary buzzword, is not to be dismissed as a mere fad. Citing industry metrics, the shift from conventional banking methods to a BaaS model is gaining momentum at an impressive rate. A recent report from McKinsey anticipates the global BaaS market to burgeon, estimating its worth at $3.6 trillion by 2025. Driving this ascent is the millennial and Gen Z demand for instantaneous, digital, and efficient financial services. With an increasing demographic disillusioned with traditional banking lag, BaaS is a timely remedy.

**BaaS – Competitors Galore**

This lucrative backdrop presents an ample playing field for Payoro, but the competition is fierce. Giants like SolarisBank, Starling Bank, and ClearBank have already carved significant niches in the BaaS sphere. Their advantage lies in their early market entry, vast resources, and established customer trust.

However, Payoro’s distinction stems from its keen insight into the EU/EEA regulatory (PDF) landscape and demographics. The company’s strategic localization of its services, combined with a broader European vision, positions it as a formidable contender in the regional BaaS ecosystem.

Estonia’s choice of Payoro’s birthplace is hardly incidental. This nation has astutely crafted a reputation as a fertile ground for digital innovation. Through initiatives like the e-residency program and an overarching commitment to digitalization, Estonia offers startups the requisite infrastructure and governmental backing, making it an ideal launchpad for fintech endeavours like Payoro.

Yet, as is the narrative with most startups attempting to disrupt established norms, challenges are inevitable. Payoro, while pioneering, must be wary of the pitfalls that come with innovation in a sensitive sector like finance. Constant innovation remains the mandate. In an industry that’s continually evolving, Payoro’s success will be contingent on its ability to stay ahead, offer value, and diversify its services.

**The Case for Trust**

The more pressing concern, however, is trust. In an age where data breaches make headlines and consumers grow increasingly wary of digital solutions, establishing and maintaining trust becomes paramount. Financial data, being among the most sensitive, demands rigorous cybersecurity measures. Moreover, Payoro’s transparent adherence to the stringent EU/EEA regulations becomes not just a legal necessity but also a cornerstone of its brand promise.

For keen market watchers, Payoro offers a captivating case study. As traditional banking edifices grapple with the winds of digital change, BaaS providers like Payoro seem primed to capitalize on the emerging gaps. Their model, which seeks to divorce banking services from their traditional confines and present them on user-friendly digital platforms, is emblematic of the democratization of finance.

In conclusion, Payoro is not merely Estonia’s latest fintech entrant; it’s a testament to where the global banking pulse is trending. For an industry that often finds itself at the crossroads of tradition and innovation, BaaS providers like Payoro illuminate the path forward. And as this Baltic prodigy embarks on its ambitious journey, the financial sector waits with bated breath, anticipating the ripples it’s poised to create in the vast ocean of global finance.

Payoro: A Glimmer of Disruption in the Banking Sector

Critters versions 0.0.17-0.0.19 have an issue when parsing the HTML, which leads to a potential cross-site scripting (XSS) bug. We recommend upgrading to version 0.0.20 of the extension. 

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Package**

npm critters (npm)

**Affected versions**

0.0.17-0.0.19

**Description**

**Impact**

Critters version 0.0.17-0.0.19 have an issue when parsing the HTML which leads to a potential cross-site scripting (XSS) bug.

**Patches**

The bug has been fixed in v0.0.20.

**Workarounds**

Upgrading Critters version to >0.0.20 is the easiest fix. This is a non breaking version upgrade so we recommend all users to use v0.0.20.

CVE-2023-3481: Critical CSS inlining XSS Vulnerability Advisory

From a user’s perspective, OAuth works like magic. In just a few keystrokes, you can whisk through the account creation process and gain immediate access to whatever new app or integration you’re seeking. Unfortunately, few users understand the implications of the permissions they allow when they create a new OAuth grant, making it easy for malicious actors to manipulate employees into giving

From a user's perspective, OAuth works like magic. In just a few keystrokes, you can whisk through the account creation process and gain immediate access to whatever new app or integration you're seeking. Unfortunately, few users understand the implications of the permissions they allow when they create a new OAuth grant, making it easy for malicious actors to manipulate employees into giving away unintended access to corporate environments. In one of the highest-profile examples, Pawn Storm's attacks against the Democratic National Convention and others leveraged OAuth to target victims through social engineering.

Security and IT teams would be wise to establish a practice of reviewing new and existing OAuth grants programmatically to catch risky activity or overly-permissive scopes. And, there are new solutions for **SaaS security** cropping up that can make this process easier.

Let's take a look at some best practices for prioritizing and investigating your organization's grants.

**When should you investigate an OAuth grant?**

Organizations approach OAuth grant reviews in a few different ways. Some opt to review new OAuth grants in real-time, initiating a review any time a user signs up for a new application or connects an integration. An even better practice would be to tailor your Google or Microsoft settings to require administrative approval for any new grant _before_ employees can start using it, giving your team time to investigate and catch anything suspicious.

While reviewing new OAuth grants can help you detect issues early on, oversight shouldn't end once an OAuth grant is in place. It's important to maintain OAuth security hygiene by reviewing grants on an ongoing basis to detect high-risk activity or drastic changes. Monthly or quarterly, security and IT teams should audit existing OAuth grants, check for changes, and prune the grants that haven't been used.

**Tailor your investigations by assessing OAuth scopes.**

OAuth authentication works by assigning access tokens to third-party applications that can act as a proxy for a user's consent, and the scope of permissions granted can range broadly. You can prioritize your OAuth investigations by considering the scope of access each grant provides.

Because different scopes carry different levels of risk to your organization, you can vary the standards of your investigations based on the permissions granted. Focus more attention on grants with scopes that are more likely to give access to critical information, such as personally identifiable information (PII) or intellectual property, or grants that can make changes to an application.

And, you may want to look into tools that can assemble an inventory of all OAuth grants for you, along with scopes and **OAuth risk scores** to make this process easier.

**Evaluate OAuth vendors and their reputations.**

Assess whether or not the vendor responsible for issuing the OAuth grant is trustworthy. For example, you can review the vendor's security page, look at their security certifications, and make sure their security program follows best practices.

Certain reputational signals can help you understand the level of trust other organizations have placed in the grant. For example, Microsoft and Google both have systems for verifying the identity of app publishers, which can give you more confidence in the grant. However, attackers have managed to exploit verified publisher statuses in recent attacks, so practitioners should consider them a helpful signal rather than a definitive assessment of an app's trustworthiness.

The popularity of a particular application, and of a particular grant, can provide yet another trust indicator. If the grant isn't new to your organization, you can consider its popularity within your own workforce by taking a look at how many of your own employees are using it and with what frequency. You can even extend this to the popularity or number of installs outside of your organization in the case that the OAuth application is present in the Google marketplace.

**Check the OAuth grant's domains.**

Before you can rely on a brand's reputation, you need to make sure that the grants listed actually belong to the vendor you're trying to verify. Checking a grant's domains can help you determine whether a vendor actually backs that particular OAuth grant, or if the grant was created by someone trying to piggyback off of a legitimate brand's reputation.

For example, if the grant's reply URL is calendly3.com, you should make sure it's actually a Calendly domain and not a malicious copycat. You should investigate whether the name of the grant matches the URL, and whether the domain has been approved by Google.

**Investigate the publisher email.**

You can gain additional insight into a grant's legitimacy by looking into the publisher email, which is the email address used to register the client ID used by the OAuth token.

Sometimes, an OAuth grant publisher will use a personal email address from a freemail provider like Gmail, which may indicate some risk. If that's the case, you can look into the reputation of that email to understand the likelihood that it may have been used for malicious intent. For example, make sure there are no compromised credentials floating around that could enable a bad actor to take over the email account. Microsoft recently warned of threat actors exploiting stolen Exchange Online accounts to spread spam using malicious OAuth applications. The actors gained initial access to the stolen accounts using credential stuffing attacks, which means compromised credentials would have been an early indicator of risk.

**Evaluate how the vendor is accessing your environment.**

Keeping an eye on how a vendor accesses your environment can help you flag sudden changes and identify suspicious activity. For example, let's say you allow an OAuth grant to access your organization's email. For three months, they access it by calling Google Workspace APIs from Amazon AWS. Suddenly, you get a high-risk API call from a completely different infrastructure (TOR exit node, proxy network, VPS, etc). Perhaps the vendor has been compromised, or maybe the application's credentials have been stolen. If you're monitoring activity related to how these vendors are accessing your environment, this type of change can indicate a potential problem.

Your organization's ability to monitor this activity may depend on the level of service you pay for. For example, Google requires a special license to access an activity stream that reveals what APIs are called within your environment, as well as when and how they're accessed. If you don't pay for the activity stream and an incident occurs, you may be blind.

Microsoft, on the other hand, recently changed their stance on log access by opting to make cloud logs available to all users rather than only premium license holders. The change followed pressure from CISA and others after government email accounts at multiple agencies were hacked, which would not have been discoverable without premium logging available to at least one of the affected parties.

**Monitor the security posture of your OAuth vendors.**

As part of your ongoing monitoring, keep an eye out for high-profile supply chain attacks that may have affected your OAuth vendors. If a provider in your vendor's supply chain experiences a data breach, could it compromise your own security posture?

Similarly, consider the effect of major vulnerabilities on the vendors you rely on. When a widely exploited vulnerability like the ones found in Apache Log4j becomes public, assess whether any of the vendors with OAuth access to your environment might be affected. Similarly, you should pay attention to vulnerabilities within OAuth grants themselves, like the Microsoft "nOAuth" misconfiguration that can enable bad actors to take over affected accounts. If you believe your vendors may be affected, you may choose to take an action like revoking those grants until you know that the vulnerability has been resolved.

**Investigate and revoke high-risk OAuth grants with Nudge Security.**

Nudge Security is a SaaS management platform for modern IT governance and security. It provides complete visibility of every SaaS and cloud asset ever created by anyone in your org, including OAuth grants. The platform provides an inventory of every app-to-app OAuth grant ever created in your org, along with OAuth risk insights like grant type, age, number of scopes, who granted access, and an overall OAuth risk score. With this visibility, users can easily conduct OAuth reviews, assess risk, and even revoke OAuth grants with just two clicks. **Try it for free**.

**Note:** _This article was expertly written and contributed by Jaime Blasco, CTO and co-founder of Nudge Security._

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

How to Investigate an OAuth Grant for Suspicious Activity or Overly Permissive Scopes

Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.8.

CVE-2023-4453

Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallabag prior to 2.6.3.

Expand Up @@ -69,12 +69,17 @@ public function createClientAction(Request $request, EntityManagerInterface $ent /\*\* \* Remove a client. \* \* @Route("/developer/client/delete/{id}", requirements={"id" = "\\d+"}, name="developer\_delete\_client") \* @Route("/developer/client/delete/{id}", requirements={"id" = "\\d+"}, name="developer\_delete\_client", methods={"POST"}) \* \* @return RedirectResponse \*/ public function deleteClientAction(Client $client, EntityManagerInterface $entityManager, TranslatorInterface $translator) public function deleteClientAction(Request $request, Client $client, EntityManagerInterface $entityManager, TranslatorInterface $translator) {  
if (!$this\->isCsrfTokenValid('delete-client', $request\->request\->get('token'))) { throw $this\->createAccessDeniedException('Bad CSRF token.'); }  
if (null === $this\->getUser() || $client\->getUser()->getId() !== $this\->getUser()->getId()) { throw $this\->createAccessDeniedException('You can not access this client.'); } Expand Down

Tag

#git