Jack Recider
👤 PersonAppearances Over Time
Podcast Appearances
Let me geek out on this for a second because I want to try to break your brain. Okay. So let's consider Zapier and how it can be used maliciously. Zapier is a tool that lets you automate things. So like if I get a new invoice in my email, I can automatically upload that invoice to Dropbox so that the accounting team can see it. Okay. Zapier can do that for you.
Let me geek out on this for a second because I want to try to break your brain. Okay. So let's consider Zapier and how it can be used maliciously. Zapier is a tool that lets you automate things. So like if I get a new invoice in my email, I can automatically upload that invoice to Dropbox so that the accounting team can see it. Okay. Zapier can do that for you.
But in order for that to work, it's got to have the ability to see your inbox and have the ability to view and upload things to your Dropbox. So to set it up, you need to give it permissions to do that.
But in order for that to work, it's got to have the ability to see your inbox and have the ability to view and upload things to your Dropbox. So to set it up, you need to give it permissions to do that.
Well, now, if a hacker gets into your Dropbox like these kids were doing, and they wanted to maintain their access like these kids wanted, and they could see that you hooked up Zapier to do automation, So now they can create their own fresh Zapier account that they control and connect it to your Dropbox. And this could give them visibility into your Dropbox from Zapier.
Well, now, if a hacker gets into your Dropbox like these kids were doing, and they wanted to maintain their access like these kids wanted, and they could see that you hooked up Zapier to do automation, So now they can create their own fresh Zapier account that they control and connect it to your Dropbox. And this could give them visibility into your Dropbox from Zapier.
And you wouldn't even know they're there because to you, all you see is that Zapier has permission to view your files, but you set that up when you were setting up your invoice automation thing. And this is what I mean by a ghost login. Someone who's in your account who doesn't even need your username or password to stay in.
And you wouldn't even know they're there because to you, all you see is that Zapier has permission to view your files, but you set that up when you were setting up your invoice automation thing. And this is what I mean by a ghost login. Someone who's in your account who doesn't even need your username or password to stay in.
Change the password all you want, they're still going to stay connected to your stuff. Another way to create a ghost login is to create a secondary login. Some sites allow you to log in through like Google or Microsoft or Facebook or even SSO. And suppose that's how you set up your account, by logging in using your Facebook account.
Change the password all you want, they're still going to stay connected to your stuff. Another way to create a ghost login is to create a secondary login. Some sites allow you to log in through like Google or Microsoft or Facebook or even SSO. And suppose that's how you set up your account, by logging in using your Facebook account.
Now, if a hacker has your password like these kids did and gets in through that, some sites might have the option to connect another login. Like if you used Facebook to log in, the site might let you also connect your Google account too. And so, yeah, a hacker could just create a brand new Google account and connect it to your account and start using that to get into your account from then on.
Now, if a hacker has your password like these kids did and gets in through that, some sites might have the option to connect another login. Like if you used Facebook to log in, the site might let you also connect your Google account too. And so, yeah, a hacker could just create a brand new Google account and connect it to your account and start using that to get into your account from then on.
So even if you change all your passwords, that access would persist. So if you really want to change your passwords, you really need to go through all of the websites that you have to see all of the connected services and alternate logins and everything. It's a mess. It's a mess.
So even if you change all your passwords, that access would persist. So if you really want to change your passwords, you really need to go through all of the websites that you have to see all of the connected services and alternate logins and everything. It's a mess. It's a mess.
And of course, another way is if the site has a way to generate an API key, you can do that and then access stuff from there. There's so many options to create ghost logins to maintain access to an account, even if the user changes their password. So this is what I mean. If 50 people all have access to someone's driver's license in Dropbox, then perhaps nobody is looking closely at permissions.
And of course, another way is if the site has a way to generate an API key, you can do that and then access stuff from there. There's so many options to create ghost logins to maintain access to an account, even if the user changes their password. So this is what I mean. If 50 people all have access to someone's driver's license in Dropbox, then perhaps nobody is looking closely at permissions.
And if that's the case, there's a high potential of being able to create a ghost login that stays working for years. And I must say, this is a new territory for security teams to navigate.
And if that's the case, there's a high potential of being able to create a ghost login that stays working for years. And I must say, this is a new territory for security teams to navigate.
You hear about this in like general terms, like least user privilege and this sort of stuff, but you don't have people who are like experts in Zapier account security who will audit what apps you have given permission to regularly. This is a big challenge to keep up with. So with all this data, like terabytes and terabytes from some of the biggest stars in this dubstep world,
You hear about this in like general terms, like least user privilege and this sort of stuff, but you don't have people who are like experts in Zapier account security who will audit what apps you have given permission to regularly. This is a big challenge to keep up with. So with all this data, like terabytes and terabytes from some of the biggest stars in this dubstep world,