Login

Recent searches

No recent searches

Search options

Not available on social.wildeboer.net.
social.wildeboer.net is one of the many independent Mastodon servers you can use to participate in the fediverse.
Mastodon instance for people with Wildeboer as their last name

Administered by:

Server stats:

2
active users

social.wildeboer.net: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

Jan Wildeboer 😷:krulorange:

. "Login with Google" can be abused if you buy a domain name that formerly had accounts, e.g. from a failed startup.

"At the time of writing, there is no fix."

(ignore the clickbait exaggerations on "millions" of at risk accounts etc. Some will claim this is expected behaviour, but Google decided after a bit of back an forth to treat is something that should be fixed and paid a bounty)

trufflesecurity.com/blog/milli

trufflesecurity.comMillions of Accounts Vulnerable due to Google’s OAuth Flaw ◆ Truffle Security Co.Millions of Americans can have their data stolen right now because of a deficiency in Google’s “Sign in with Google” authentication flow. If you’ve worked for a startup in the past - especially one that has since shut down - you might be vulnerable.
Jan 14, 2025, 08:04 PM·Public
23boosts·19favorites
Public
Chris

@jwildeboer same for buying old domains where the email has been used too register an account without SSO, and can still be used to reset the password, what’s new?
aside of the fact that lots of services do not allow your sso provider to be changed

Public
Stefan Münz

@jwildeboer I have nearly all of my "login with..." accounts converted into native service logins again, since it's a hell if you decide to give up an account that is used for dozens of OAuth logins. A well working password manager gives you the same comfort as "login with bigbrother" logins, but lets you stay independant. The cases reported here confirm me to recommend giving up these kind of logins.

Public
James Brooke

@StefanMuenz
@jwildeboer
Stefan, I appreciate your suggestion to return to "native service logins".

My trust in the competence, maybe integrity, of Apple, Google, MS is weak.

Are you trusting the biometric system on your devices to allow on-device saved passwords to be used in logins?

BTW, I add two-factor authentication for legal/transactional sites.

Public
Stefan Münz

@jCarttarBrooke On my mobile device, I use fingerprints to unlock things. But I think I'll never use face recognition, because that simply means that the camera is spying all the time, waiting for me to look at it. And yes, for any really important site two-factor is a good idea.
@jwildeboer

Public
SpaceLifeForm

@jwildeboer

Like an email address that is neglected, that should never expire, the same applies to domain names.

DNS is flawed design.

#DNS#Expiration
Public *
Waitman Gobble
I don't care for zone transfers and master/slave heirarchy but it is an improvement over the hosts file :)

I run all masters with postgresql streaming to sync updates in seconds. Back in olden times when i used master/slave with zone transfers it was just nuts. Over complicated and slow and much more network congestion.

I don't know what they were thinking with bind 10, it was like mad scientist mode
Public
Programmer 832-529 🍅

@jwildeboer I think those "login with" share an issue if you can get a domain at the provider you can create accounts; it does mean you need to get temporary control of the DNS.

e.g. register example.com at Google, adjust example.com's DNS to say you own it then be able to login on websites the rely on that authenticator.

There was an article about this method a few months ago.

ExploreLive feeds
About