yogsototh/deft
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

notes/remove_securex_tg_login_button.org

Browse source
This commit is contained in:
Yann Esposito (Yogsototh) 2022-02-01 10:29:08 +01:00
parent 1afc9dd8f3
commit 975ff20fb8
Signed by untrusted user who does not match committer: yogsototh
GPG key ID: 7B19A4C650D59646
1 changed files with 9 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
notes/remove_securex_tg_login_button.org
View file

@ -16,14 +16,18 @@ Using this solution we could link the accounts using the email address.
If Threatgrid ensure that every login has a verified email, SecureX could
remove a flag, and the Threatgrid user could login into SecureX in the TG
created org by using the same email.
The only change in SecureX will be to change a configuration flag.
The only change to be done in SecureX will be to change a configuration flag.
*Why?*
If TG does not verify the emails and we enable the flag, it would be
possible for a TG user to trick another user with another email into their
own SecureX account.
If TG does not verify the emails it makes possible for a TG user to trick another
user with another email into their own SecureX account.
Example:
1. User1 in Threatgrid, change its email address in TG to `chuck@cisco.com`
2. User1 create a new SecureX account (SecureX save `chuck@cisco.com` for his email)
1. User1 in Threatgrid, change its email address in TG to =chuck@cisco.com=
2. User1 create a new SecureX account (SecureX save =chuck@cisco.com= for his email)
3. The real Chuck login via SXSO, and is automatically logged in into the
User1 account.