Last Week in Security (LWiS) - 2022-11-14

ROADtools Token eXchange (@_dirkjan), Certified pre-owned followup (@harmj0y + @tifkin_), AAD Privileged Access (@0xcsandker), FindEmptySystem (@christruncer), TelemetrySource (@jsecurity101), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-11-07 to 2022-11-14.

News

Techniques and Write-ups

Tools and Exploits

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • squarephish is an advanced phishing tool that uses a technique combining the OAuth Device code authentication flow and QR codes.
  • Digital detritus. As a digital hoarder (look at me right now trying to collect and label all the relevant security stuff from last week) this post resinated with me.
  • GPT-4 Rumors From Silicon Valley. AI is getting scary.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.