BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//pretalx.com//fwd-cloudsec-2026//speaker//Q7N87J
BEGIN:VTIMEZONE
TZID:PST
BEGIN:STANDARD
DTSTART:20001029T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20061029T100000Z
TZNAME:PST
TZOFFSETFROM:-0700
TZOFFSETTO:-0800
END:STANDARD
BEGIN:STANDARD
DTSTART:20071104T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=11
TZNAME:PST
TZOFFSETFROM:-0700
TZOFFSETTO:-0800
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000402T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060402T110000Z
TZNAME:PDT
TZOFFSETFROM:-0800
TZOFFSETTO:-0700
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20070311T030000
RRULE:FREQ=YEARLY;BYDAY=2SU;BYMONTH=3
TZNAME:PDT
TZOFFSETFROM:-0800
TZOFFSETTO:-0700
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-fwd-cloudsec-2026-JYPF9M@pretalx.com
DTSTART;TZID=PST:20260601T102000
DTEND;TZID=PST:20260601T104000
DESCRIPTION:What if creating a free GitHub account could give you access to
  a Fortune 500's AWS production environment? No credential theft\, no phis
 hing\, just public data recon and a three-line workflow file.\n\nOIDC-base
 d workload identity is the industry's recommended replacement for static C
 I/CD credentials. But implementations across major developer platforms sha
 re a fundamental design flaw: they operate a single global OIDC issuer for
  all tenants and construct the sub claim from recyclable\, human-readable 
 namespace paths. This talk introduces "Sub:jugation\," a vulnerability cla
 ss independently present across all major CI/CD workflow providers (such a
 s GitHub Actions\, and GitLab CI).\n\nWe present the vulnerability and go 
 beyond the theory: analysis of thousands of real AWS and Azure environment
 s shows that a large percentage of namespace owners are vulnerable\, each 
 trusting and thus putting at risk an average of 10-12 distinct cloud ident
 ities.\n\nWe will show the sophisticated recon pipeline we built using pub
 lic GitHub Code Search and namespace deletion monitoring to demonstrate th
 at an external attacker can discover and exploit these "Phantom Cloud Iden
 tities" at scale. We will demo the full attack chain\, share the data\, an
 d provide concrete steps practitioners can take to audit and remediate the
 ir environments today.
DTSTAMP:20260502T113339Z
LOCATION:Room 1
SUMMARY:Sub:jugation - Hijacking Cloud Identities by Recycling Namespaces i
 n Global OIDC Issuers - Tal Skverer
URL:https://pretalx.com/fwd-cloudsec-2026/talk/JYPF9M/
END:VEVENT
END:VCALENDAR