Whoa, a bank supporting #passkeys! Never thought I'd see the day.
Passkey/password bug: iOS 18.3.1
Ook in iOS versie 18.3.1 is de eerder door mij gemelde iCloud KeyChain (*) kwetsbaarheid nog niet gerepareerd (eerder schreef ik hierover, Engelstalig: https://infosec.exchange/@ErikvanStraten/113821443334366419).
(*) Tegenwoordig is dat de app genaamd "Wachtwoorden" (of "Passwords").
De kwetsbaarheid bestaat indien:
• De eigenaar een "passcode" (pincode of wachtwoord) gebruikt om de iPhone of iPad te ontgrendelen - en er GÉÉN biometrie is geconfigureerd;
ofwel:
• De gebruiker wel biometrie kan gebruiken om het scherm te ontgrendelen, doch in 'Instellingen' > 'Touch ID en toegangscode' de instelling "Autom. invullen wachtw." is UITgezet.
Zie onderstaande screenshots (Engelstalig in https://infosec.exchange/@ErikvanStraten/113821443334366419). Meer info ziet u door op "Alt" in de plaatjes te drukken.
Probleem: iedereen met toegang tot de ontgrendelde iPhone of iPad kan dan, *zonder* opnieuw lokaal te hoeven authenticeren:
1) Op elke website inloggen waarvan het user-ID en wachtwoord in iCloud Keychain zijn opgeslagen;
2) Met passkeys op enkele specifieke websites inloggen (waaronder https://account.apple.com en https://icloud.com), namelijk als volgt:
a) Open de website;
b) Druk op "Inloggen";
c) Druk op de "x" rechts bovenaan de pop-up die verschijnt (in de onderste schermhelft);
d) Druk kort in het veld waar om het e-mailadres gevraagd wordt;
e) Druk op de knop "gebruik passkey".
Risico: uitlenen van een unlocked iDevice (o.a. aan kinderen) maar ook diefstal nadat de passcode is afgekeken. Of als de dief geen passcode heeft, als deze wacht tot de eerstvolgende iOS/iPadOS kwetsbaarheid bekend wordt waarbij de schermontgrendeling omzeild kan worden.
Als u ze nog niet gezien heeft, bekijk in elk geval de eerste van de volgende twee video's van Joanna Stern (van de Wall Street Journal):
https://youtube.com/watch?v=QUYODQB_2wQ
https://youtube.com/watch?v=tCfb9Wizq9Q
#TouchID #FaceID #Passkeys #iCloudKeychain #Passwords #PadswordsApp #Wachtwoorden #WachtwoordenApp #Biometrie #Passcode #iOS #iPadOS #iPhone #iPad #iDevice #ScreenLock #ScreenUnlock #SchermVergrendeling #SchermOntgrendeling #SchermOntgrendelCode #PINcode #Kwetsbaarheid #Vulnerability #OngeautoriseerdeToegang #IdentiteitsFraude #Inloggen #Stern #JoannaStern #WSJ
Passkey advice (ncsc.gov.uk)
From https://www.ncsc.gov.uk/blog-post/passkeys-not-perfect-getting-better (highly condensed by me):
❝
What then are the remaining problems with passkeys?
🔸 Inconsistent support and experiences
🔸 Device loss scenarios
🔸 Migration issues
🔸 Account recovery processes
🔸 Platform differences
🔸 Implementation complexity
🔸 Inconsistent use
🔸 Uncertainty around multi-factor status
❞
🔹 I recently wrote about a number of Android an iOS/iPadOS vulnerabilities (including account lock-out risks) in https://infosec.exchange/@ErikvanStraten/113820358011090612 and a couple of follow-up toots.
🔹 People wanting to know the basics of passkeys can read a somewhat acceptable translation from Dutch to English of my writeup "Passkeys for laymen", which can be seen by opening https://www-security-nl.translate.goog/posting/798699/Passkeys+voor+leken?_x_tr_sl=nl&_x_tr_tl=en&_x_tr_hl=nl (which seems to work in Chrome). The original article, in Dutch, can be seen in https://www.security.nl/posting/798699/Passkeys+voor+leken.
🔹 A good source of (unbiased!) info is also Dan Goodin's article in https://arstechnica.com/security/2024/12/passkey-technology-is-elegant-but-its-most-definitely-not-usable-security/.
🔹 Finally: the problem with passwords starts with a 'p': it's PEOPLE. Use a password manager as I describe in https://infosec.exchange/@ErikvanStraten/113022180851761038 (with Android screenshot: https://infosec.exchange/@ErikvanStraten/113549056619471557).
New post on the importance of minimizing conditional UI latency in #webauthn
tl;dr
* embed all the javascript necessary to fire the conditional UI request on your html
* don't wait on network requests
* don't cringe
New post on choosing the right `timeout` value in #WebAuthn!
tl;dr
* design your challenge-response protocol to allow for a very long value
* whatever you do, don't leave it to the default value
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #04/2024 is out! It includes the following and much more:
➝ 🔓 🧬 #23andMe admits it didn’t detect #cyberattacks for months
➝ 🔓 #Trello API abused to link email addresses to 15 million accounts
➝ 🔓 🇺🇸 #LoanDepot Breach: 16.6 Million People Impacted
➝ 🇺🇸 🇷🇺 #Microsoft network breached through password-spraying by Russian-state hackers
➝ 🇷🇺 🇺🇸 Russian #TrickBot Mastermind Gets 5-Year Prison Sentence for #Cybercrime Spree
➝ 🇺🇸 🇷🇺 #HPE says it was hacked by Russian group behind Microsoft email #breach
➝ 🇷🇺 🇸🇪 Russian Hackers Suspected of #Sweden Cyberattack
➝ ✈️ 💰 Aviation Leasing Giant #AerCap Hit by #Ransomware Attack
➝ 🇺🇸 📲 #SEC blames sim-swapping, lack of MFA for X account hijacking
➝ 🇨🇳 Chinese Hackers Silently Weaponized #VMware Zero-Day Flaw for 2 Years
➝ 🔔 👮🏻♂️ Ring Will No Longer Allow Police to Request Doorbell Camera Footage From Users
➝ 🇫🇷 👀 French regulator fines #Amazon $35 million over its surveillance system of warehouse workers
➝ 🇫🇷 🍪 #France Fines #Yahoo 10 Mn Euros Over Cookie Abuses
➝ 🍎 💸 Cracked #macOS apps drain wallets using scripts fetched from DNS records
➝ 🦠 🔑 Malicious #NPM Packages Exfiltrate Hundreds of Developer #SSH Keys via #GitHub
➝ 🦠 💻 NS-STEALER Uses Discord Bots to Exfiltrate Your #Secrets from Popular Browsers
➝ 🐥 🔑 X adds #passkeys support for #iOS users in the United States
➝ 🩹 🚨 Critical #Jenkins Vulnerability Exposes Servers to RCE Attacks - #Patch ASAP!
➝ 🤖 💥 AI will increase the number and impact of cyber attacks, intel officers say
➝ 🐛 🩹 Exploit released for Fortra #GoAnywhere MFT auth bypass bug
➝ 🔓 ⚡️ #Pwn2Own Automotive: Hackers Earn Over $700k for #Tesla, EV Charger, Infotainment Exploits
➝ 🔓 🇨🇳 Mass exploitation of #Ivanti VPNs is infecting networks around the globe
➝ 🍎 🩹 Apple Issues #Patch for Critical Zero-Day in #iPhones, Macs - Update Now
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
https://infosec-mashup.santolaria.net/p/infosec-mashup-week-042024