Tag Archive for: Password

Google accounts may be vulnerable to new hack, changing password won’t help


A new method allegedly enables hackers to exploit authorization protocol OAuth2 functionality to compromise Google accounts and maintain valid sessions by regenerating cookies despite IP or password reset.

According to security firm CloudSEK, a threat actor under the alias PRISMA boasted a potent zero-day exploit and developed a sophisticated solution to generate persistent Google cookies through token manipulation.

“This exploit enables continuous access to Google services, even after a user’s password reset,” the report reads.

OAuth 2.0 stands for “Open Authorization 2.0” and is a widely used protocol for securing and authorizing access to resources on the internet. It makes verifying user identity easy by tapping into their social media accounts, such as Google or Facebook.

CloudSEK’s threat research team identified the exploit’s root at an undocumented Google Oauth endpoint named “MultiLogin.” This is an internal mechanism designed for synchronizing Google accounts across services, which ensures that browser account states align with Google’s authentication cookies.

The developer of the exploit “expressed openness to cooperation,” which accelerated the discovery of the endpoint responsible for regenerating the cookies.

The exploit, incorporated in a malware called Lumma Infostealer on November 14th, boasts two key features: session persistence and cookie generation. To exfiltrate the required secrets, tokens, and account IDs, the malware targets Chrome’s token_service table of WebData of logged-in Chrome profiles.

“The session remains valid even when the account password is changed, providing a unique advantage in bypassing typical security measures,” the report quotes PRISMA. “The capability to generate valid cookies in the event of a session disruption enhances the attacker’s ability to maintain unauthorized access.”

Researchers noted a concerning trend of rapid exploit integration among various Infostealer groups. They think the exploitation of undocumented Google OAuth2 MultiLogin endpoint provides a textbook example of sophistication, as the approach hinges on a nuanced manipulation of the GAIA ID (Google Accounts and ID…

Source…

New Security Study Reveals AutoSpill Vulnerabilities in Android Password Managers


A recent security study conductedresearchers at the International Institute of Information Technology (IIIT) has unveiled a new attack called AutoSpill, which targets Android password managers and can potentially lead to the theft of account credentials. The researchers discovered that most password managers for Android are vulnerable to this attack, even without the use of JavaScript injection.

The attack worksexploiting weaknesses in Android’s WebView framework, which is commonly usedAndroid apps to render web content. Password managers on Android rely on this framework to automatically fill in a user’s account credentials when logging into services like Apple, Facebook, Microsoft, or Google.

The AutoSpill attack is particularly concerning because it allows rogue apps to capture a user’s login credentials without leaving any trace of the compromise. This can lead to unauthorized access to sensitive accounts.

The researchers tested AutoSpill against several password managers on various Android versions and found that 1Password, LastPass, Enpass, Keeper, and Keepass2Android are all susceptible to the attack. However, Google Smart Lock and DashLane follow a different technical approach and are safe from AutoSpill unless JavaScript injection is used.

The AutoSpill vulnerability stems from Android’s failure to clearly define the responsibility for securely handling auto-filled data. This loophole can result in the leakage or capture of sensitive informationthe host app.

The researchers have reported their findings to the affected software vendors and Android’s security team. While the validity of the report has been acknowledged, no details regarding plans for fixing the issue have been shared yet.

In response to the disclosure, password management providers impactedAutoSpill, such as 1Password and LastPass, have assured their users that they are working on fixes to address the vulnerability. They emphasize the importance of user vigilance and explicit actions required for autofill functions.

Users are advised to exercise caution while installing apps and only download from trusted app stores like Google Play. Android developers are also encouraged to implement WebView best…

Source…

Bad Password May Have Led to Pennsylvania Water System Hack


(TNS) — Federal and state security officials said a poor or even default password could be the weak link that enabled hackers to break into a Pittsburgh-area water system.

The Municipal Water Authority of Aliquippa suffered the cyberattack on Saturday, with several media outlets displaying images of a screen from the authority equipment that claimed to target Israeli-made products.

In a Tuesday alert, the federal Cybersecurity and Infrastructure Security Agency (CISA) said the hackers, who some media outlets have identified as the pro-Iran group CyberAvengers, “likely accessed the affected device … by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet.”


CISA is a federal agency that falls under the Department of Homeland Security.

The Pennsylvania Criminal Intelligence Center shared CISA’s advisory Wednesday and reminded security experts “to ensure the default ‘1111’ password is not in use” on their networks, according to an email obtained by TribLive.

The center also recommended that systems’ “programmable logic controllers,” or PLCs, use multifactor authentication and update to the most current software.

No customers of Aliquippa’s service lost access to water due to the attack, said Robert Bible, general manager of the Aliquippa Municipal Authority, in an interview with TribLive news partner WTAE.

Bible said the hackers targeted a small substation in Racoon Township. They disabled a device that is used to automatically control water levels at the authority’s tanks, he said.

Bible did not return phone calls Wednesday to the municipal authority. Aliquippa Mayor Dwan B. Walker also could not be reached for comment.

CISA officials, in their Tuesday advisory, identified equipment hacked at the Pennsylvania utility as a “Unitronics Vision Series PLC with a Human Machine Interface (HMI).”

Unitronics, which is based in Israel and operates a U.S. office in Quincy, Mass., a Boston suburb, did not respond to numerous emails and phone calls this week seeking comment.

Pittsburgh-based Jewish security officials said they also have grappled with cybersecurity issues related to the…

Source…

Six great options for password managers


Using unique and strong passwords for every website is a must for internet security. Too few people know how to do this, and that’s where password managers come in and can make online life easier.

There’s no doubt about it, actually doing the work to stay safe on the web is hard — and getting harder. In order to be truly secure online, each and every login you use needs its own strong, unique password.

We’re starting to see the spread of “passkeys” that make this process easier, since it doesn’t rely on passwords. Until this is universal, however, users should consider a password manager to help them create, manage, and fill in strong passwords.

The password managers we’ve picked here are excellent, free or low-cost, and user-friendly. Furthermore, we’ve checked each company’s privacy policies to ensure that they can’t read any of your stored passwords, thanks to end-to-end encryption.

All six of our managers offer features like two-factor authentication, secure password sharing, and importing existing passwords. They all help you create strong passwords, auto-store them, and report on any passwords that are weak or compromised.

We’ve checked to see if any of the companies reported a compromise or server breach, such as “what happened to LastPass. Thanks to their “zero-knowledge” policies, none of the password managers we list here have been compromised.

Keychain

Being built-in to Apple’s Mac and mobile devices, this is the obvious first choice. Whenever you first sign in or create an account on a website in Safari, Keychain — called “Passwords” in system settings — will pop up and offer to store this new login.

You should always, always say “yes” to this. That login is then stored and encrypted on your device, and then stored on iCloud and synced across your Apple devices.

At one time, what is now called iCloud Passwords only worked with the Safari browser on Mac. As of macOS Sonoma, it now also supports Edge, Chrome, Opera, and other Chromium-based browsers — sorry, Firefox.

You can even use Keychain on PCs by downloading “iCloud for Windows” application, and signing in to your Apple ID. It can then import and sync any logins you have stored in the default…

Source…