What is Permission Phishing?

‘Permission Phishing’ or ‘Consent Phishing’: When hackers phish without stealing credentials, but with permissions instead.

‘Permission phishing’ is aimed at stealing permissions, and not at stealing passwords. The apps seeking permission appear harmless, but once permissions are granted, it can wreak havoc and gives access to hoards of sensitive data.

In simple words, a hacker leads you to an app that asks you to grant permissions, and once permissions are granted, all underlying data and your authorisation are available to the hacker instantly and remain available until the token or permission is available to the hacker.

Microsoft described this in a blog post and it exploits the widely used authorization technology OAuth 2.0.

Want to learn more about Consent Phishing or Permission Phishing, head on over to the great folks at HumanFirewall.io for a free security training or a free phishing simulation for your employees.