当前位置:首页 > 报告详情

一招制胜:在工作流自动化、虚拟语音助手、物联网和LLM服务集成平台中实现普遍的账户接管.pdf

上传人: 竿*** 编号:981601 2025-11-29 48页 17.77MB

1、#BHUSA BlackHatEventsOne Hack to Rule Them All:Pervasive Account Takeovers inIntegration Platforms for WorkflowAutomation,Virtual Voice Assistant,IoT,&LLM ServicesKaixuan Luo1,Xianbo Wang1Adonis Fung2,Julien Lecomte2,Wing Cheong Lau11 The Chinese University of Hong Kong,2 Samsung Research America#BH

2、USA BlackHatEvents2About usXianbo WangPhD CandidatesanebowKaixuan Luo*PhD CandidateWing Cheong LauProfessorAdonis FungDirector of Engineering,SecuritySamsung Research AmericaJulien LecomteHead of So9ware Engineering&OperaonsSamsung Research America*Part of the work done while interning at Samsung#BH

3、USA BlackHatEvents3Agenda1.Executive Summary2.Protocol Analysis:Challenges,Flaws,Attacks&Defenses3.Impact Analysis:Testing&securing 20+integration platforms4.Case Study:One concrete example of attack5.Key Takeaways#BHUSA BlackHatEventsExecutive Summary4#BHUSA BlackHatEventsVirtual Voice AssistantsIo

4、T Platforms/Smart HomesWorkflow Automation PlatformsLLM Platforms with PluginsMicrosoftPower Automate5What is an Integration Platform?#BHUSA BlackHatEventsIntegrated AppsIntegration Platform Integration Platform Connects and Aggregates functionalities of diverse apps/services Account Linking Links t

5、he end-users App accounts to Integration platform account OAuth is the de facto standard protocol to achieve Account Linking6What is an Integration Platform?Control app(s)on behalf of UserAlexa,Turn offmy lights andGet me a Lyft to SFO.PlatformAccountAppAccountAccount Linking#BHUSA BlackHatEvents7Mi

6、crosoftPower AutomateAnyone can publish an appOpen Marketplace Design#BHUSA BlackHatEvents8When Account Linking goes WrongUser controls their ownapps,services or devicesLGTM!Privacy Leakage#BHUSA BlackHatEvents9Account TakeoversForced Account LinkingPrivacy LeakageWhen Account Linking goes WrongLGTM

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据文章内容,以下是全文关键点的概括: 1. **集成平台漏洞**:集成平台(如Microsoft Power Automate)存在严重设计缺陷,导致账户接管风险。 2. **攻击类型**:包括跨应用OAuth账户接管(COAT)和跨应用OAuth请求伪造(CORF)。 3. **影响范围**:测试了20多个集成平台,发现其中24个存在漏洞,19个可通过简单链接一键攻击。 4. **攻击示例**:通过结合OAuth会话固定和COAT漏洞,攻击者可一键接管账户,窃取Outlook电子邮件等。 5. **漏洞影响**:所有与这些平台集成的应用和服务都受影响,直到平台修复。 6. **修复情况**:已向24个平台报告漏洞,其中16个已确认并修补或正在修复。 7. **建议**:需要工业标准来保护整个生态系统,防止此类攻击。
集成平台账户接管揭秘" 你的账户安全吗?" 揭秘集成平台账户风险"
客服
商务合作
小程序
服务号
折叠