Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential new technique - delegated access #26

Open
jukelennings opened this issue Aug 8, 2023 · 0 comments
Open

Potential new technique - delegated access #26

jukelennings opened this issue Aug 8, 2023 · 0 comments
Assignees
@jukelennings

Comments

@jukelennings
Copy link
Contributor

While reviewing Expensify for a couple example additions to techniques, I noticed this co-pilot functionality. This is essentially a form of delegating access to other users of the application so they can impersonate you. The "full access" option is almost equivalent to a full login.

Expensify offers "secondary logins", which function for a "ghost logins" attack, but this example feels a little different. Perhaps we need to a new technique in the matrix for covering situations where you can delegate control of your account to another account as a separate attack as it has other implications.

image
@jukelennings jukelennings self-assigned this Aug 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jukelennings jukelennings

Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jukelennings