Closed jukelennings closed 1 year ago
Tagging the following on to this now too:
SAMLjacking I am leaving off due to the requirement for domain validation and inability to invite external users. Technically, it's possible to SAMLjack and I have confirmed and tested but it's not much use when you can only do it with email addresses for a domain you have admin control over.
Retrospectively removing account ambushing as it seems none of the persistence methods actually work fully end-to-end in an account ambushing scenario:
While exploring this, it's clear there are a bunch of other applicable techniques for expensify so I'm just going to hijack this issue to keep track of a bunch of them:
There are a couple more I'm still trying to validate but will add once I've figure it out.