Can you verify Cloud App vendors ?

Evaluating cloud app vendors

After discovering that users could authorize 3rd parties to access enterprise data by just 3 clicks, we started to look at who people had actually given access to.
One such 3rd party was Boomerang aka Baydinc. I remember I have seen the name before. I do not know the company, but we have a few happy users of their product.
This blog article is about how to judge if a plugin should be allowed or not, or if it is even possible to make this judgement.

This article uses Boomerang for Outlook as an example, and looking with paranoid glasses, it would be a clear no. But that would be based on stereotypes, prejudice etc. The unbiased conclusion is, that it is impossible to evaluate.

Outloook Add-In Store

In the store, it only gets a 3 start review. This might be a warning indicator.

 Next, looking at what permission it needs, Microsoft clearly writes it can access and modify personal information in THE active message.
Installing it, and pressing "Open Boomerang", and I need to authenticate the app before it works. So it needs more access. It wants access to read/write all my mail. So Microsoft and Boomerang do not agree on what permissions are needed.


Starting research

Visiting the boomerang for outlook webpage: https://www.boomerangoutlook.com/ it is difficyult to find any contact information for the company. You have to find it in the term and conditions, or the privacy policy.
Looking up at Google streetview, we can see the address is the Hong Kong Bistro, so likely a small office upstairs ?  This just proves that anybody can create a company these days, and sell large scaleable web services in the cloud. It is difficult to judge a company's physical presence from their web presence.



 The company refers to their Angels invest profile. The have raised $400k+, but back in 2011. Are they self-sustainable ? Have they changed business focus ? Do they sell information they have access to ? Nobody knows.

The company seems to be run by Asian looking citizens. And since China is usually listed everywhere as the country that spies and collects info everywhere, this is one more paranoia check mark.


So, is the company legit an making money ? If not, what will they do with the access then the company runs into financial troubles ?
Are they delivering your data to the Chinese government ? Someone else ?

There are lots of unanswered questions here, and my attempt to see if this app is legit or not just makes me more paranoid.

I am almost sure I have used Boomerang at some point in the past, but I have also checked that I have not granted consent to any of my private mail accounts (Microsoft AND google) for Boomerang. I am fairly sure they at least used to be legit.

Searching for Aye Moah, there seems to be enough articles and video, including one from StartUp Grind 2019, that she must be a living version, and again this helps indicate everything is legit.

But is there any way to be sure ? Or is this just the risk of doing business in a web world ?

From an enterprise perspective, it would be difficult to justify new users for this app if we are going to protect e-mail as company data. The big question is if we should remove its access for existing users.

Comments

Post a Comment

Popular posts from this blog

Microsoft AzureAD and Office365 - Not secure by default

Image
Microsoft AzureAD and Office365 - Not secure by default Or 3 clicks and you are dead Cloud Identity is a great thing these days. You can sign up to lots of services using your social identity from Facebook, Google, or from Microsoft. You do not have to invent new passwords (or reuse passwords used elsewhere), and you get easy Single Sign On. This has more advantages than drawbacks for by far the majority of users. The purpose of this article is to create awareness of some of the dangers. Microsoft AzureAD - The special case Your Microsoft company identity is just another cloud identity for most services, and in many ways it is better than some of the others. You get secure multi-factor logon, you might even get passwordless logon. Conditional Access to protect your Sign in attempts even more, maybe blocking countries like China, Russia and Brazil, or doing it risk based. It all depends an how the enterprise has configured things. It is trivial to create your own web server,
Read more

Microsoft has been aware of the AAD/O365 vulnerability for almost 2 years.

A friend found this link, clearly showing Microsoft has been aware of the risk of users giving consent to illicit applications since at least January 2018. https://blogs.technet.microsoft.com/office365security/defending-against-illicit-consent-grants/ They have not done much to prevent this, but has worked to create more post-mortem tools. One of the links in the article points to an article by a former cyber criminal, which has a youtub video showing PoC of a real-time crypto-locker working on the users mailbox. Scary stuff. https://youtu.be/VX59Gf-Twwo What has changed What makes this even worse today is, that the Microsoft Sample code Wizard makes it very easy to create the phishing website. The wizard generates passwords, and creates source code with your own AppID and password inserted. So now we are down where this is possible with a minimum of coding skills. We also have the fact, that 2 years ago, knowledge of free Let's Encrypt certificate was not so widesprea
Read more