• Cyber Safety
  • Posts
  • Cracks in the Foundation: Nested Shares, Admin Tokens & Legacy Devices

Cracks in the Foundation: Nested Shares, Admin Tokens & Legacy Devices

September 20, 2025

In partnership with

 

Receive Honest News Today

Join over 4 million Americans who start their day with 1440 – your daily digest for unbiased, fact-centric news. From politics to sports, we cover it all by analyzing over 100 sources. Our concise, 5-minute read lands in your inbox each morning at no cost. Experience news without the noise; let 1440 help you make up your own mind. Sign up now and invite your friends and family to be part of the informed.

Nested Sharing in Google Drive Is Still a Major Risk

A file shared with one person inside a folder shared broadly often inherits broader access—causing accidental leaks of board decks, financials, or PII.

Audit shared folders weekly. Disable link-sharing defaults and enforce team-based Drive structures with limited nesting.

CI Pipelines Are Running With Persistent Admin Tokens

Many CI/CD services store long-lived admin tokens for automation ease—but these tokens are rarely rotated and often broadly scoped.

Adopt ephemeral credentials for pipeline jobs. Use vault integrations and auto-expire tokens based on job duration or branch type.

Expired Contractor Devices Still Access SaaS Tools

Deprovisioning processes often ignore mobile or secondary devices once a laptop is wiped—allowing continued access to email, notes, or Slack from personal endpoints.

Include all user devices in offboarding scripts. Revoke session cookies, not just account access, and alert on device check-ins post-termination.

AI You’ll Actually Understand

Cut through the noise. The AI Report makes AI clear, practical, and useful—without needing a technical background.

Join 400,000+ professionals mastering AI in minutes a day.

Stay informed. Stay ahead.

No fluff—just results.

Browser-Based Password Managers Are Ignoring Domain Mismatches

Built-in browser password tools often autofill credentials into visually similar but unrelated domains—especially with typosquatting.

Disable autofill for business accounts. Use enterprise password managers that enforce domain-level validation and audit vault usage.

Security Training Is Out of Sync With Active Threats

Employees are still trained on old phishing techniques while attackers use QR phishing, voice AI, and session hijacks—leaving users confident but unprepared.

Tie training modules to recent incidents. Refresh quarterly, and use real-world examples from your org or sector.

In-App Admin Panels Are Missing Audit Logging

Internal admin panels built into CRMs, helpdesks, or internal portals often lack audit trails—allowing high-risk actions to occur invisibly.

Treat admin tools as privileged systems. Require change logging, peer review, and session recording for critical changes.