You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While reviewing Expensify for a couple example additions to techniques, I noticed this co-pilot functionality. This is essentially a form of delegating access to other users of the application so they can impersonate you. The "full access" option is almost equivalent to a full login.
Expensify offers "secondary logins", which function for a "ghost logins" attack, but this example feels a little different. Perhaps we need to a new technique in the matrix for covering situations where you can delegate control of your account to another account as a separate attack as it has other implications.
The text was updated successfully, but these errors were encountered:
While reviewing Expensify for a couple example additions to techniques, I noticed this co-pilot functionality. This is essentially a form of delegating access to other users of the application so they can impersonate you. The "full access" option is almost equivalent to a full login.
Expensify offers "secondary logins", which function for a "ghost logins" attack, but this example feels a little different. Perhaps we need to a new technique in the matrix for covering situations where you can delegate control of your account to another account as a separate attack as it has other implications.
The text was updated successfully, but these errors were encountered: