Stealing cookies: Researchers describe how to bypass modern authentication

Passwordless authentication standards have improved identity security, but new research indicates this technology is vulnerable to token hijacks and man-in-the-middle attacks.

The post Stealing cookies: Researchers describe how to bypass modern authentication appeared first on CyberScoop.

Continue reading Stealing cookies: Researchers describe how to bypass modern authentication

Epic Games login tokens were susceptible to theft, research shows

Epic Games, best known for the mega-popular video game “Fortnite,” fixed a vulnerability in its web infrastructure that hackers could have abused to access user accounts, as evidenced by a report from cybersecurity firm Check Point published Wednesday. The exploit involves phishing, but victims don’t need to be tricked into handing over credentials for it to work, the report shows. The bug only required that the targets visit a malicious link, where their login tokens could be leaked to the attackers. This type of access could have allowed hackers to see victims’ personal information, listen to their in-game voice chat and purchase V-Bucks — the game’s virtual currency — with other players’ accounts, Check Point said. Researchers said they found two old sub-domains belonging to Epic Games containing vulnerabilities that allowed for a malicious redirect attack. In a technical report, researchers describe how they were able to take control of these domains and use them to […]

The post Epic Games login tokens were susceptible to theft, research shows appeared first on CyberScoop.

Continue reading Epic Games login tokens were susceptible to theft, research shows

GitHub rolls out new token scanning, security alert features

GitHub on Tuesday announced several new security features that aim to help developers stay on top of vulnerabilities and keep sensitive data, like access tokens, out of publicly available code. “The security challenges that underpin software today are community problems—not just the burdens of individual CISOs, IT admins, and open source maintainers,” GitHub said in a blog post. “With the breadth of data and connections GitHub maintains as the leading software development platform, we have a responsibility to protect the community from cybersecurity threats and enhance security for all.” The company announced the launch of the public beta of a token scanning feature. Security tokens are digital keys that allow individual users of a service to stay logged in. GitHub says it will scan people’s public repositories for token formats and notify the provider if it finds any. The scans will look out for tokens provided by Amazon Web Services, […]

The post GitHub rolls out new token scanning, security alert features appeared first on Cyberscoop.

Continue reading GitHub rolls out new token scanning, security alert features

User info and social media ‘access tokens’ exposed in Timehop breach

Timehop, an app that resurfaces old posts from users’ social media profiles, has disclosed a breach in which users’ basic contact information was exposed, as well as “access tokens” that the app uses to gather information from users’ social media accounts. The names and email addresses of 21 million users were exposed, the company says. Of those users, about 4.7 million had their phone numbers also exposed. Timehop says it has deauthorized the access tokens, which are provided by its social media partners so the app can access that content. The company also forced all accounts to log out. When users try to log in again, they will also have to reauthenticate each social media site they want to use with Timehop in order to generate new, secure tokens. In a blog post Sunday disclosing the incident, Timehop stresses that the tokens do not give anyone access to private messages on Twitter, Instagram or […]

The post User info and social media ‘access tokens’ exposed in Timehop breach appeared first on Cyberscoop.

Continue reading User info and social media ‘access tokens’ exposed in Timehop breach