Expensify example for ghost logins
jukelennings opened this issue · comments
While exploring this, it's clear there are a bunch of other applicable techniques for expensify so I'm just going to hijack this issue to keep track of a bunch of them:
- Ghost logins
- Passwordless logins
- Account ambushing
- Username enumeration
There are a couple more I'm still trying to validate but will add once I've figure it out.
Tagging the following on to this now too:
- SAML enumeration
SAMLjacking I am leaving off due to the requirement for domain validation and inability to invite external users. Technically, it's possible to SAMLjack and I have confirmed and tested but it's not much use when you can only do it with email addresses for a domain you have admin control over.
Retrospectively removing account ambushing as it seems none of the persistence methods actually work fully end-to-end in an account ambushing scenario:
- Co-pilot features do not appear until a validated email is present
- Secondary logins become primary automatically when validating, which then causes a problem when the target user tries to login (it alerts them of the second email and requests validation by that)
- Unvalidated secondary logins remain secondary but then require action by the target user once they have logged in