一招制胜：在工作流自动化、虚拟语音助手、物联网和LLM服务集成平台中实现普遍的账户接管.pdf

《一招制胜：在工作流自动化、虚拟语音助手、物联网和LLM服务集成平台中实现普遍的账户接管.pdf》由会员分享，可在线阅读，更多相关《一招制胜：在工作流自动化、虚拟语音助手、物联网和LLM服务集成平台中实现普遍的账户接管.pdf（48页珍藏版）》请在三个皮匠报告上搜索。

1、#BHUSA BlackHatEventsOne Hack to Rule Them All:Pervasive Account Takeovers inIntegration Platforms for WorkflowAutomation,Virtual Voice Assistant,IoT,&LLM ServicesKaixuan Luo1,Xianbo Wang1Adonis Fung2,Julien Lecomte2,Wing Cheong Lau11 The Chinese University of Hong Kong,2 Samsung Research America#BH

2、USA BlackHatEvents2About usXianbo WangPhD CandidatesanebowKaixuan Luo*PhD CandidateWing Cheong LauProfessorAdonis FungDirector of Engineering,SecuritySamsung Research AmericaJulien LecomteHead of So9ware Engineering&OperaonsSamsung Research America*Part of the work done while interning at Samsung#BH

3、USA BlackHatEvents3Agenda1.Executive Summary2.Protocol Analysis:Challenges,Flaws,Attacks&Defenses3.Impact Analysis:Testing&securing 20+integration platforms4.Case Study:One concrete example of attack5.Key Takeaways#BHUSA BlackHatEventsExecutive Summary4#BHUSA BlackHatEventsVirtual Voice AssistantsIo

4、T Platforms/Smart HomesWorkflow Automation PlatformsLLM Platforms with PluginsMicrosoftPower Automate5What is an Integration Platform?#BHUSA BlackHatEventsIntegrated AppsIntegration Platform Integration Platform Connects and Aggregates functionalities of diverse apps/services Account Linking Links t

5、he end-users App accounts to Integration platform account OAuth is the de facto standard protocol to achieve Account Linking6What is an Integration Platform?Control app(s)on behalf of UserAlexa,Turn offmy lights andGet me a Lyft to SFO.PlatformAccountAppAccountAccount Linking#BHUSA BlackHatEvents7Mi

6、crosoftPower AutomateAnyone can publish an appOpen Marketplace Design#BHUSA BlackHatEvents8When Account Linking goes WrongUser controls their ownapps,services or devicesLGTM!Privacy Leakage#BHUSA BlackHatEvents9Account TakeoversForced Account LinkingPrivacy LeakageWhen Account Linking goes WrongLGTM