IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [third-party]

A third party is a person or group involved in a communication other than the principal parties (first and second). In cryptology, a hostile third party is often referred to as Eve (for "eavesdropper").

A third party is a person or group involved in a communication other than the principal participants (first and second parties). In cryptology, Eve the eavesdropper is a hostile third party trying to listen.

75 questions
115
votes
24 answers

How could I make the results of a yes/no vote inaccessible unless it's unanimous in the affirmative, without a trusted third party?

A family of N people (where N >= 3) are members of a cult. A suggestion is floated anonymously among them to leave the cult. If, in fact, every single person secretly harbors the desire to leave, it would be best if the family knew about that so…
TheHans255
  • 1,268
  • 2
  • 5
  • 13
91
votes
5 answers

How does Facebook track your browsing without third party cookies?

Facebook has served me an ad for a website I visited earlier in the day. I have third party cookies disabled and have not followed any links between the website and Facebook (links which could contain a tracking ID connecting my Facebook account to…
Jesse
  • 761
  • 1
  • 6
  • 5
80
votes
4 answers

Can an identity provider impersonate me? (Can Facebook post Stack Overflow questions under my name?)

There are multiple mechanisms (some now defunct) that allow me to access service A (the Relying Party / RP) using a token granted by service B (the Identity Provider / IdP). Typically these replace a username-and-password login. Examples of IdP…
lofidevops
  • 3,550
  • 6
  • 23
  • 32
41
votes
2 answers

Can advertisements read cookies of the website it is on?

I know many ads can store third-party cookies, but what about reading cookies? If so, what stops them from reading the session id to perform session hijacking?
user3500869
  • 483
  • 4
  • 6
33
votes
1 answer

How to deal with third parties in physical pentests?

From my previous question, I've seen that a "Permission to Attack" slip is crucial in ANY Penetration Test. However, that question and its answers and comments have only discusses interactions between the Pentesters and the client's party (their…
ChocolateOverflow
  • 3,452
  • 4
  • 17
  • 34
32
votes
3 answers

How does one defend against software supply chain attacks?

In reference to the Solarwinds attack, since many organisations have no access to the source codes of the software vendors from whom they just consume the services, how can organisations defend against supply chain attacks?
Nathan Aw
  • 1
  • 7
  • 12
20
votes
4 answers

What to do about "approved" direct banking MITM sites like sofort.com?

Brussels Airlines allows several payment types, only two of which are free: Maestro and Sofort Banking: The second option was new to me, but direct debit is usually a free and practical way to pay: The request is forwarded to the bank web site, I…
l0b0
  • 2,981
  • 20
  • 29
19
votes
5 answers

CSP allowing all Google domains?

I'm trying to develop a CSP for the site https://www.lidl-tour.ro. Right now there is a policy than runs in report-only-mode, so nothing is blocked at the moment. The site contacts googleads.g.doubleclick.net and stats.g.doubleclick.net. So I have…
HorstKevin
  • 1,328
  • 2
  • 14
  • 27
17
votes
2 answers

How to decide "I'll trust this software" for closed-source or precompiled software?

I am interested in watching an upcoming webinar that will discuss Puppet on AWS. In order to participate one needs to install a software application. Naturally, I won't do that as I can find enough information about the subject with a few simple…
dotancohen
  • 3,698
  • 3
  • 24
  • 34
9
votes
2 answers

security reviews of third party code

I am not familiar with all the steps involved in a full-fledged information security review of an in-house developed application, so I am wondering whether or not the following scenario is commonplace. A web application is created, and runs on top…
mg1075
  • 193
  • 6
8
votes
1 answer

Western Union prompts for bank login information — ridiculously bad practice?

I was trying to initiate a Western Union transaction from my bank account, but toward the end of the process I was prompted by this request, which is to type in my bank's login information. The request evidently comes through PayWithMyBank, which I…
adam.baker
  • 657
  • 6
  • 9
8
votes
2 answers

Ebay sniping services - are passwords stored in plaintext?

For the uninitiated, eBay sniping services are third-party organisations that people can use to bid on an eBay auction at the last second, obviously this requires the user to provide their eBay account details so the service can login to their…
yogalD
  • 83
  • 4
6
votes
3 answers

Should I delete locally synced data if the user can't log in?

I'm building a Mac app that syncs the user's documents down from a third-party cloud service. When you set it up, it will sync all your documents down to the local hard disc, at which point you can access it in Finder. For the purpose of this…
Kartick Vaddadi
  • 163
  • 4
5
votes
2 answers

Facebook iOS SDK Authentication

The Facebook iOS SDK only needs your bundle & app IDs of your iOS app to match those of your Facebook app. If I find out an app's app ID, can't I just create another iOS app with that app's bundle ID? Sure, I may not be able to distribute my app on…
ma11hew28
  • 287
  • 1
  • 9
5
votes
1 answer

Keeping login in sync with third party providers

When you use a third party for authentication (E.g. Google/Facebook javascript SDK), their SDK keeps track of the login status. If I have my own server, which requires an access token of it's own (which is issued after validating the third party…
Cameron
  • 151
  • 2
1
2 3 4 5