Tootfinder

What's the go-to for non-Microsoft non-Google email hosting these days?
Requirements:
* Supports proper RFC compliant SMTP/IMAP TLS access. No oauth, no EWS, no exchange nonsense. Needs to be usable on e.g. a headless box without a web browser, command line clients, etc.
* Reasonably priced for a handful of accounts across a bunch of domains
* Setup and forget third party hosting, I don't have an IP block suitable for mail hosting in house and I don't want …

»OAuth-Token erbeutet – Hacker greifen massig Daten aus Salesforce-Instanzen ab:
Cyberkriminelle haben es erneut auf Salesforce-Kunden abgesehen. Wer die Salesloft-Drift-Integration verwendet, sollte dringend handeln.«
Schon länger geht das Gerücht um, dass OAuth des öfteren schwach implementiert ist von den IT-Konzernen, wie schon bei OAuth v1 das als unsicher gilt.
🔒

OAuth-Token erbeutet: Hacker greifen massig Daten aus Salesforce-Instanzen ab - Golem.de
Cyberkriminelle haben es erneut auf Salesforce-Kunden abgesehen. Wer die Salesloft-Drift-Integration verwendet, sollte dringend handeln.

Salesloft says hackers stole OAuth tokens from its Drift chat agent integration to conduct a Salesforce data theft campaign between August 8 and August 18 (Lawrence Abrams/BleepingComputer)
https://www.bleepingcomputer.com/news/secu

Palo Alto confirms Salesloft Drift Integration was used to compromise Salesforce instances
https://unit42.paloaltonetworks.com/threat-brief-compromised-salesforce-instances/

Threat Brief: Salesloft Drift Integration Used To Compromise Salesforce Instances
This Threat Brief discusses observations on a campaign leveraging Salesloft Drift integration to exfiltrate data via compromised OAuth credentials.

The WriteFreely instance at Infosec.press is cool. It ties back to their infosec.exchange mastodon instance. Thinking about how finding a blog space has been a barrier to some of my protects in the past (noblogs is great but is harder to get an account), I wonder what the prospects are for something like that at @…. Is this something that's on the radar?
@… had a handy writeup on this for their server: https://infosec.press/jerry/how-to-user-mastodons-built-on-oauth-provider-as-the-authentication-provider

So someone just got access to a bunch of Salesforce accounts by getting their access tokens.
Salesforce is the company that claims that already 20% of their code is written by "AI", isn't it?
https://cloud.google.com/blog…

Widespread Data Theft Targets Salesforce Instances via Salesloft Drift | Google Cloud Blog
UNC6395 stole data from Salesforce instances by exploiting compromised OAuth tokens from the Salesloft Drift app.

OpenID Connect for Agents (OIDC-A) 1.0: A Standard Extension for LLM-Based Agent Identity and Authorization
Subramanya Nagabhushanaradhya
https://arxiv.org/abs/2509.25974 https:…

OpenID Connect for Agents (OIDC-A) 1.0: A Standard Extension for LLM-Based Agent Identity and Authorization
OpenID Connect for Agents (OIDC-A) 1.0 is an extension to OpenID Connect Core 1.0 that provides a comprehensive framework for representing, authenticating, and authorizing LLM-based agents within the OAuth 2.0 ecosystem. As autonomous AI agents become increasingly prevalent in digital systems, there is a critical need for standardized protocols to establish agent identity, verify agent attestation, represent delegation chains, and enable fine-grained authorization based on agent attributes. Thi…

Are you worried your #dotnet #security could be more secure? Join us for a #livestream on August 21st, 2025, to discuss FAPI 2.0, its relation to

ShinyHunters claims it stole 1.5B Salesforce records from 760 companies using compromised Salesloft Drift OAuth tokens; a source says the figures are accurate (Lawrence Abrams/BleepingComputer)
https://www.bleepingcomputer.com/news/secu

Agentic JWT: A Secure Delegation Protocol for Autonomous AI Agents
Abhishek Goswami
https://arxiv.org/abs/2509.13597 https://arxiv.org/pdf/2509.13597

Agentic JWT: A Secure Delegation Protocol for Autonomous AI Agents
Autonomous LLM agents can issue thousands of API calls per hour without human oversight. OAuth 2.0 assumes deterministic clients, but in agentic settings stochastic reasoning, prompt injection, or multi-agent orchestration can silently expand privileges. We introduce Agentic JWT (A-JWT), a dual-faceted intent token that binds each agent's action to verifiable user intent and, optionally, to a specific workflow step. A-JWT carries an agent's identity as a one-way checksum hash derived from its…

»Evolution of Privacy Pass«
Does anyone of you know this and did this use this practically? Is this really a modern user login "alternative" solution to OAuth 2.0? How is your experience as a WebDev or/and user with it?
🔑 https://www.youtube.com/watch?v=n5yr-3WjSCM
📄

Cross-Service Token: Finding Attacks in 5G Core Networks
Anqi Chen, Riccardo Preatoni, Alessandro Brighente, Mauro Conti, Cristina Nita-Rotaru
https://arxiv.org/abs/2509.08992 h…

Cross-Service Token: Finding Attacks in 5G Core Networks
5G marks a major departure from previous cellular architectures, by transitioning from a monolithic design of the core network to a Service-Based Architecture (SBA) where services are modularized as Network Functions (NFs) which communicate with each other via standard-defined HTTP-based APIs called Service-Based Interfaces (SBIs). These NFs are deployed in private and public cloud infrastructure, and an access control framework based on OAuth restricts how they communicate with each other and …