Hello, welcome to the Friday, June 2nd, 2017 edition of the Sands and its Storm Center's Stormcast. My name is Johannes Ulrich. Entertainment recording from Jacksonville, Florida.

Quick morning from Xavier. Xaviévié discovered some webcast invite links, which apparently do include personal data about the user, the link was sent to

us part of the URL.

The idea here is that if you click on the link, then this information can be pre-filled into

the form that you're using to sign up for the webcast, but if you are, for example, forwarding

this link to a friend or even verse posted on social media,

you're also delivering your personal information, which may include things like phone number,

email address, name and address.

Of course, the problem that you're running into here is that you need to authenticate the user somehow before you are displaying personal information.

Even if they would have just included a record locator in the URL, the data would still be pulled out of their database.

And it may have actually been worse if they would have for example

included sequential ID instead of just the actual data. So well, no good work around here. Make

your users either log in or make them fill in the form again. So the usual rule of thumb that I'm teaching when I'm teaching

web application security is if you're never asked for a user in a password, something is probably

wrong with the site. And cloud-based identity and access management company, one login apparently

suffered a substantial breach that put all of their customer information

at risk.

This is of course particular critical given the role that one login plays in companies' infrastructure.

Essentially what you're doing if you're signing up with One Login is that all of your identity

management is done by One Login in the cloud.

They also call it Identity as a Service.

Now the advantage of this, of course, is that you do not have to run your own identity management

...