Beware, dear friends, the cautionary tale of the cloud provider that broke its own security model. Ignoring RFCs! Putting plaintext passwords in scripts - and printing them in books! It's a crazy story, but one that may nonetheless resonate with enterprise security practitioners everywhere.
In early 2021, I identified a client impersonation vulnerability in a series of Google "first-party" applications. This vulnerability allows an attacker to present themselves both to a user and to Google as one of these applications, and enjoy all the privileges therein....
By: Brian Smith-Sweeney
Full Abstract and Presentation Materials: www.blackhat.com/us-23/briefi...