Someone registered in my team

I’ve been using Cloudflare tunnel for a few years with no issues and I’m using Zero Trust to access self-hosted stuff. I’ve set up basic (geo IP for ex.) security rules in Cloudflare Dash and auth rules in Zero Trust Dash. I’ve tested these settings a lot to somehow bypass security or authentication, but everything was locked out as expected.

Today I accidentally clicked on the “My Team” on the left side of the Zero Trust Dash and found one unknown device called V2108 (vivo, seems like it is a smartphone, but I don’t own it) connected to a user, that is not in the allowed users list (all other are denied). His last successful auth was months ago, that looks very suspicious.

I tested security again - I can’t login from a random email, so how could it happen?

1 Like

Found possible leak - there is a separate device enrollment permissions, which by default allows everyone to add a new device.

1 Like