Beware, dear friends, the cautionary tale of the cloud provider that broke its own security model. Ignoring RFCs! Putting plaintext passwords in scripts and printing them in books! It's a crazy story, but one that may nonetheless resonate with enterprise security practitioners everywhere.
In early 2021, I identified a client impersonation vulnerability in a series of Google "firstparty" applications. This vulnerability allows an attacker to present themselves both to a user and to Google as one of these applications, and enjoy all the privileges therein....
By: Brian SmithSweeney
Full Abstract and Presentation Materials: https://www.blackhat.com/us23/briefi...