-- Leo's gemini proxy
-- Connecting to gemini.tuxmachines.org:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini;lang=en-GB
Tux Machines
Posted by Roy Schestowitz on Aug 11, 2023
> “As the risk of cyberattacks [sic] and data breaches escalates, it’s imperative for the government to rethink its approach. Strengthening the rules and mechanisms that reinforce data protection must be prioritized, creating an environment where citizens’ data remains shielded from harm.”
> The first thing one would do in order to turn OneDrive into a double agent, then, would be to hijack someone's account – a task Yair said was relatively easy once he managed to achieve an initial compromise of a Windows machine.
> OneDrive, it turns out, stores all of its log files in a directory for the signed-in user. Those logs, in turn, contain session tokens that Yair said he was able to pull out of the log file once he snagged a copy and parsed it. With the stolen token, Yair was able to get to work.
> Armed with a compromised or obtained guest account and a Power Apps trial license (available free to anyone who wants one from the Power Apps website), all an attacker needs to do is log in to Power Apps and switch directories to the target tenant they're a guest user on, and voila: they can see a list of all the Power Apps connections their account has access to, and can even create applications inside the tenant. With enough work, the attacker can potentially make off with gobs of internal data.
-- Response ended
-- Page fetched on Thu Jun 13 07:02:52 2024