- ByteSize
- Posts
- When OAuth Gets Hacked, Job Posts Play Dead, and the FBI Does Your Tech Support
When OAuth Gets Hacked, Job Posts Play Dead, and the FBI Does Your Tech Support
Job ghosts, malware hosts, and WordPress roasts - it's been quite a week...
Well, hello!
It's January 21st, and on this day in 2000, a little domain called Twitter.com entered the digital world (though back then, it was probably just hoping to be a cool place for bird watchers). Six years later, Jack Dorsey and friends would later turn that $7,500 domain purchase into a social media empire worth billions. Fast forward to Elon Musk's $44 billion acquisition and subsequent speed run to see how quickly one can rename a beloved brand to a single letter.
While we're at it, let's dive into this week's tech news…which has more plot twists (and fortunately, less Oedipean than Back to the Future Part II).
Google's OAuth Flaw: The Digital Skeleton Key Nobody Asked For
Remember when getting locked out of your work account was annoying? Well, now it's about to get worse. Truffle Security just revealed that Google's "Sign in with Google" system has a flaw affecting millions of defunct startup accounts.
Turns out, anyone can buy an expired company domain and potentially access old employees' accounts across various platforms — from Slack to HR systems containing social security numbers.
What's the damage? Over 100,000 domains from failed startups are up for grabs. Google's response was basically "working as intended," but after paying out a cheeky $1337 bounty (yes, that's "LEET" in hacker speak, they're now saying they have strong protections in place with their "sub field" identifier.
Google claims the real issue is with third-party apps not following their best practices, essentially pulling the classic "it's not a bug, it's a feature" defense while updating their developer documentation to make their guidance "more prominent." It's like when your code suddenly starts working the moment you ask a colleague to look at it.
Your Car Insurance App Thinks You're Living Fast and Furious
It turns out, you're not in good hands… Allstate and its mobile analytics subsidiary Arity are in hot water for allegedly turning your phone into a snitch. They've been paying app developers to install tracking software that monitors driving behavior — without user consent.
You know what's crazy? The apps can't even tell if you're driving or riding a roller coaster, which led to one poor soul getting dinged for "poor cornering" while riding The Beast at Kings Island Amusement Park.
Let's just hope that Allstate doesn't replace customer service agents with HAL 9000, or any of those infuriating AI voice bots. Can you imagine? "I'm sorry Dave, I'm afraid I can't lower your insurance rates after that wild teacup ride at Disney."
AWS's Newest Feature: Accidentally Making Hackers' Lives Easier
A hacker group called Codefinger (c'mon, let's at least try to be creative...) found a way to use AWS's own encryption features against its users. They're accessing exposed storage buckets and using AWS server-side encryption to lock companies out of their own files. It's like that scene in Jurassic Park: "Ah ah ah, you didn't say the magic word" – except the magic word is your crypto wallet address.
Amazon's response came out with all the greatest hits of tech support classics: blame the user, reference the documentation, and remind everyone about "best practices" – a term that roughly translates to "Good luck, you're on your own!". It's giving the same energy as a parent running after their kid, saying "be careful" after they've already fallen off their bike.
BONUS BYTE: DOOM Finds a New Home in PDFs
We remember when the most exciting thing about PDFs was trying to figure out which version of Adobe Reader wouldn't crash your computer. Well, Github user ading2210 (who's just a high schooler!!!) just decided to make document signing a lot more interesting by getting DOOM to run inside a PDF file.
The monochrome version runs at a whopping 12 FPS, which is technically more frames than the first moving pictures. It's not quite "But can it run Crysis?" territory, but it's still a feat that's both impressive and slightly concerning from a security perspective.
Speaking of security implications (because there's always security implications), this creative hack highlights the complexity of the PDF format — something that's both a feature and a potential vulnerability. So, if your document format is Turing-complete enough to run DOOM, it's probably Turing-complete enough to run other things you might not want it to…
But seriously how cool…first it was TI-calculators (remember them?), then pregnancy tests, and now PDFs?! What's next… a microwave? a potato?!
⚙️ Tool Time
We recommend CyberArk.
If you're an IT professionals who handle sensitive data (yes, you!) - here's your wake-up call. If you're managing privileged accounts, admin credentials, or anything that could make a hacker's wish list, you need this in your tech stack.
Think of it as the Eye of Sauron for your security team — except it's watching over your privileged accounts instead of hobbits. It's an identity security platform that stands as your last line of defense between malicious actors and the keys to your digital kingdom.
For the "but what does it actually do?" crowd: CyberArk combines military-grade access management with automatic credential rotation and Just-in-Time access controls. Translation? Even if someone steals an admin's password, they can't just walk in and raid the digital vault. It's like having a bouncer who remembers every face, checks every ID, and never gets tired of saying "you're not on the list."
The platform's ability to handle everything from cloud environments to DevOps tools makes it the Inspector Gadget of identity security — if he also had retinal scanners and blockchain verification. It's like having Mr. Robot's entire security toolkit, minus the existential crises and questionable hoodie choices.
Oh, and our popular and trusted EE member Rodney (we call him "The Virtualization Whisperer") swears by it for its scaling capabilities and comprehensive features.
👨💻 Job Opportunities
For those who think "privacy by design" isn't just a buzzword, and GDPR compliance makes for light bedtime reading. You'll need to channel your inner Neo from The Matrix to navigate complex privacy frameworks while maintaining the customer service demeanor of Ted Lasso.
Help customers innovate while keeping their best ideas from walking out the door (metaphorically, of course). Think Tony Stark meets customer service (but not the Seinfield Soup Nazi kind) — you'll be building proofs of concept faster than you can say "Jarvis, deploy!"
Dreaming in Azure and speak fluent TCP/IP? This might be your next challenge. You'll be maintaining hybrid environments like you're playing Tetris at Level 157, while handling server migrations with the quick ease of this kid solving a Rubik's Cube blindfolded.
🛩 Industry Moves
FBI Goes on a Windows PC Cleaning Spree
The FBI just remote-wiped PlugX malware from 4,200+ Windows PCs, and with a warrant this time…They're calling it "spring cleaning in January."
The malware, courtesy of China's Mustang Panda group, was spreading via USB drives like it's 2008. (*Throwback to "the worst breach of U.S. military computers in history”) It could bypass air gaps through USB infection, making it particularly dangerous for secure facilities. The FBI's unprecedented clean-up operation shows just how serious the threat was — when the Feds start playing IT support, you know it's not your average virus.
The Ghost Job Market Is Booming
Our canned response whenever to "*hey, how's that job hunting going?*"
Recruiting software firm Greenhouse released a study revealing that 20% of online job postings are either fake or never filled. Like that scene in Inception where the buildings keep folding in on themselves, these job postings exist in a reality that was never meant to be real. Companies are apparently posting these "ghost jobs" to appear as if they're growing or to gather market intelligence — basically, corporate catfishing at its finest.
The real issue here is that while employers are embracing their "You Can't See Me" John Cena era, this ghosting trend is artificially inflating job market statistics and making job searches unnecessarily longer and more frustrating.
The One Where WordPress Tells Contributors to Fork Off
WordPress's Co-Founder Matt Mullenweg just deactivated five contributors' accounts to "encourage them to fork the project." Yes, he really went all "Look at me, I'm the captain now," and you bet the community went all "Blinking White Guy" GIF” on repeat at first. When asked about the sustainability team, he responded with "*Today I learned that we have a sustainability team*" before dissolving it entirely. Oof. Mullenweg really out here, choosing this guy as his manager alter-ego.
This isn't just another case of tech bro drama — WordPress powers about 43% of all websites. With key contributors being pushed out and community trust eroding, along with pineapple-pizza loyalty tests and WP Engine's server access showdown, we might be watching the beginning of a significant shift in the web development world. It's like Game of Thrones, but with more semicolons and fewer dragons.
💽 Data Upload
… and that's all for this week's ByteSize! Stay curious, stay patched, and maybe check if your car insurance app thinks you're secretly a Formula 1 driver. Until next week, keep your OAuth tokens close and your USB ports closer.
Enjoyed the news? Discuss over on Experts Exchange.
Got news to share or topics you'd like us to cover? Send 'em our way. We can't wait to hear from you. Really.
And hey… psst… are you interested in sponsoring our newsletter and reaching a passionate, engaged community of IT professionals across the globe? Reach out here.