Get your copy of the SaaS Attacks Report: 2024 edition

Ready to help

How do I identify the publisher of a third-party integration?

Most of the time, the publisher of a third-party integration will be obvious when looking at the Third-party integrations page in the Push admin console.

Third-party integration list - KB 10077

However, some software providers may not have planned for integration names or details to be visible in a tool like Push, and you may occasionally see a generic integration name like “User Login.”

Generic integration example - KB 10077

Finding details on Microsoft integrations

Microsoft integrations provide reply URLs, which give more information about the domain of the publisher. You can find the reply URL when you click on an integration for more details.

Integration details - reply url - KB 10077

Note that if an integration has more than one reply URL, you should examine each one carefully.

Some publishers may use multiple reply URLs for legitimate purposes, such as testing. However, these callback domains are not verified by Microsoft or Google, and only one domain needs to be owned by the publisher, so nefarious publishers may use multiple domains to try to appear legitimate — a recognizable one and one they actually own and use as the callback domain.

Finding details on Google integrations

Google does not supply a source for identifying reply URLs, however, if Google has verified an app, that means it has verified ownership of the domains as part of its brand verification process.

You can often get more information about an app — such as the homepage of the publisher, the support email address, and the terms of service — by performing a command line request using cURL to Google Cloud.

You’ll need to find the project ID and insert that into the cURL in the command, e.g. brand/[project ID number].

% curl -H "Origin: https://console.cloud.google.com" "https://clientauthconfig.googleapis.com/v1/brands/lookupkey/brand/12345678910?readMask=*&readOptions.staleness=0.02s&returnDeveloperBrand=true&returnDisabledBrands=true&key=AIzaSyCI-zsRP85UVOi0DjtiCwWBwQ1djDy741g"

You can find the project ID in the metadata section of the integration details pane in the Push admin console. It will be the first number of the App ID, preceding the hyphen.

Integration metadata example - KB 10077

A sample output from the cURL command looks like this:

% curl -H "Origin: https://console.cloud.google.com" "https://clientauthconfig.googleapis.com/v1/brands/lookupkey/brand/19570130570?readMask=*&readOptions.staleness=0.02s&returnDeveloperBrand=true&returnDisabledBrands=true&key=AIzaSyCI-zsRP85UVOi0DjtiCwWBwQ1djDy741g"
{
  "brandId": "19570130570",
  "projectNumbers": [
    "19570130570"
  ],
  "displayName": "Slack",
  "iconUrl": "https://lh3.googleusercontent.com/J5SGBWHMF0_vgcIekl1hEhJ1-_p_zsG3L0i1s_bU2bK_TiSLObT7kK1Le9tnme1h3zA",
  "supportEmail": "help@slack-corp.com",
  "homePageUrl": "http://slack.com/",
  "termsOfServiceUrls": [
    "https://slack.com/terms-of-service"
  ],
  "privacyPolicyUrls": [
    "https://slack.com/privacy-policy"
  ],
  "brandState": {
    "limits": {
      "defaultMaxClientCount": 36
    }
  },
  "verifiedBrand": {
    "displayName": {
      "value": "Slack",
      "reason": "APPEALED"
    },
    "storedIconUrl": {
      "value": "https://lh3.googleusercontent.com/J5SGBWHMF0_vgcIekl1hEhJ1-_p_zsG3L0i1s_bU2bK_TiSLObT7kK1Le9tnme1h3zA",
      "reason": "APPEALED"
    },
    "supportEmail": {
      "value": "help@slack-corp.com",
      "reason": "APPEALED"
    },
    "homePageUrl": {
      "value": "http://slack.com/",
      "reason": "APPEALED"
    },
    "privacyPolicyUrl": {
      "value": "https://slack.com/privacy-policy",
      "reason": "APPEALED"
    },
    "termsOfServiceUrl": {
      "value": "https://slack.com/terms-of-service",
      "reason": "APPEALED"
    }
  },
  "storedIconUrl": "https://lh3.googleusercontent.com/J5SGBWHMF0_vgcIekl1hEhJ1-_p_zsG3L0i1s_bU2bK_TiSLObT7kK1Le9tnme1h3zA",
  "consistencyToken": "2020-12-04T13:12:40.648327Z"
}

If after investigating further, you do not recognize or trust the integration, you can remove it.