Olivier Dony

@maanosherni @Odoo Thanks for reporting. We detect and shut down many abusive websites every day, but some may slip by. You can report them directly to our abuse team for quick handling, see also odoo.com/acceptable-use

@Odoo people are using your software for scamming or you helping them for online bank scams?? Here is the screenshot where they are capturing bank info by setting up fake bank login page.

According to the authors, any domain hosted on O365 could be successfully spoofed using another O365 domain and a forwarding rule. GMail hosted domains could also be spoofed if they hosted a M-L, for example. Most impacted providers have apparently fixed the vulnerabilities ✨

Interesting preprint: E. Liu et al., "Forward Pass: On the Security Implications of Email Forwarding Mechanism and Policy"¹ A survey of email authentication and forwarding quirks of major mail providers, and how this could be used for spoofing __ ¹ arxiv.org/abs/2302.07287

@ggellatly yes, it's a human-driven process, and you know humans😇 TBH for the 16.0 subscription overhaul we've tried a version w/ automatic renewal & invoicing. But we had to backtrack that, it was creating too much overhead in refunds for the renewals who were never paid (for any reason)

@ggellatly Oops, turns out it was expired for 2+ months w/ renewal overdue, and got auto-closed when we turned on the feature🤦 Sorry about that, improvement is in progress: force closing notif, as both sides were surprised here: github.com/odoo/enterpris… Is everything sorted out now for you?

Detecting increasing numbers of credential stuffing attacks via botnets on our website. Even with our mitigations, the success rate is non-zero. 0.04% again this morning for a campaign targeting AU users. You can setup 2FA as a portal user too. And unique passwords 🙏

If you've run Debirdify/Fedifinder a while ago, you might also want to rerun it ASAP to catch any new handles before they're gone.

Folks, the time to run debirdify.pruvisto.org or fedifinder.glitch.me is now. You don't need to have an account elsewhere yet. Download the CSVs while you can, and you can import them later. go go go go

Have you tried #AdventOfCyber2022 ? You can discover or brush up cybersecurity 101 skills, like log analysis, brute force, OSINT, etc. Entry-level topics, can play directly on the VM from your browser. It's fun and only needs a few mins a day. Go help 🎅! tryhackme.com/christmas

@RichardMathot tu pourrais aussi utiliser Debirdify¹ ou Fedifinder² pour voir sur quels serveurs tes amis se sont inscrits ;-) Debirdify a l'air un peu down pour le moment mais Fedifinder est up __ ¹ pruvisto.org/debirdify (cfr github.com/pruvisto/debir…) ² fedifinder.glitch.me

@iamamoose - rough idea of possible impact to common software like nginx, apache, and mitigation strategies - any discussed time frame with OS vendors for releasing patched version (e.g. debian backports in 3.0.2, ...)

Virustotal for a sample one: virustotal.com/gui/file/0a82c… You can always report malware links to Google Safe Browsing to have them blocked in browsers directly: safebrowsing.google.com/safebrowsing/r…

Getting reports of malware distributed via fake emails about "software update" for Odoo, linking to zipped .exe files👻 We try to have them taken down asap, but you know better than that anyway :-) Odoo updates are always available through official channels (repos / packages)

Finally this year, well deserved! @Erwin_vd_Ploeg

@jmarclg @fpodoo I heard an emergency heady-duty coffee machine is on the way... 🤞

@fpodoo the #odooexperience is really amazing but we need more coffee 😀

Help your child learn how to explore the digital world confidently with the @Google Interland game.

@bouvyd @gurneyalex @fpodoo Yes, script kiddies playing with the default passwords. Not the first time, too. Would be sad if we have to stop giving open access to runbot 🤨

Hello @fpodoo @odony I don't know if this is a security exploit or just someone using the well known passwords manually but odoo runbots sign in pages are redirecting to online gambling sites and the like.

@Mozdigar Sure, sent you a DM 👍

@odony hi Olivier, could you connect us to someone help us securing our Odoo AWS servers. A previous develop hijacked everything and blackmailing us. We got AMI images and snapshots but can’t stop his access.

@sswapnesh @Odoo Exercise for the reader: what's the probability of winning this lottery (getting a `/` in your token), assuming we're using random non-urlsafe-base64-encoded 256-bits token? 😉

Hey @Odoo Something is not correct here. Getting Trackback on sending Instruction via Email. cc @odony

@sswapnesh @Odoo Fun one!🤓Turns out the route uses a non-urlsafe-b64-encoded token, and thus fails to match if you're unlucky enough to get a b64 token with a '/' in it. The fix will be deployed soon, it's been like this for... 3 years🙈