Loading…
← Back to schedule
The Tao and Te of Device Code Phishing
Thursday February 6, 2025 5:00pm - 5:50pm MST
Track 2 - Penrose
Security experts continually tout the benefits of single sign on systems especially for cloud. In device code authentication cloud providers use a relying parting that exchanges a nonce with a backend service via a local listening callback on the users machine. That nonce is then exchanged for an oAuth token which is in turn exchanged for temporary cloud provider credentials.


This elegant multi step dance has many advantages including the elimination of long lived credentials on disk. In this session we’ll dive deep on the different ways device code authentication can be exploited and changes that cloud providers are  making to mitigate phishing that targets this type of authentication flow.  


As a bonus you’ll also get a peek at how a new concept; trusted identity propagation helps companies build chains of trust to custom applications leveraging these flows. Attendees can expect to leave understanding if device code, PKCE, and SSO is worth moving to the top of priority list. Red teamers will gain critical insight on how to exploit this in phishing campaigns.


Speakers
avatar for Andrew Krug

Andrew Krug

Andrew Krug is a Security Geek specializing in Cloud and Identity and Access Management. Andrew brings 15 years experience at the intersection of security, education, and systems administration. As a fierce advocate for Open Source and founder of ThreatResponse tool suite, Andrew... Read More →
Thursday February 6, 2025 5:00pm - 5:50pm MST
Track 2 - Penrose Lower Level I
  Talk, Hybrid

Attendees (2)


Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share