Collaborate Disseminate
I am currently trying to build an authentication flow where the front end lives on one domain, say X.com and the backend lives on Y.com. I have implemented a refresh/access token system where when a user logs in with username and password … Continue reading Where to store Refresh Token in custom Authentication
The Microsoft account can have multiple ways to prove who you are for 2FA (two-factor authentication).
When you forget your 2FA security info you can initiate the account recovery process by clicking "Forget password?".
The recov… Continue reading Bypass Microsoft Account 2FA
I am doing a security audit on a command line tool. The tool is java based and it runs on the server side, it collects some info and generate a report at the end of the run.
This tool can run nevertheless of which user has run this, so any… Continue reading how to apply authentication/authorization on CLI tools
So I received an email from message@adobe.com. It says
Your Apple account is now connected to your Adobe account and may be used for sign in. You can disconnect it or add another from your Adobe Account.
If you did not request that these … Continue reading How to contact huge corporation about unrecognised account activity (Adobe)? [closed]
So I received an email from message@adobe.com. It says
Your Apple account is now connected to your Adobe account and may be used for sign in. You can disconnect it or add another from your Adobe Account.
If you did not request that these … Continue reading How to contact huge corporation about unrecognised account activity (Adobe)? [closed]
Running a WHM/cPanel system on CentOS v7.9.2009 (STANDARD kvm) and cPanel Version 110.0.34.
We use WHM Exim Config with SendGrid for email forwarding.
In the last 3 months, our SendGrid account has been compromised twice with phishing camp… Continue reading In WHM/cPanel > Exim Config, how to prevent SendGrid API key from being breached?
Websites ask for passwords to ensure you are the account owner before you make changes to high-risk settings, but autofill works all the time, even when the browser is in Incognito mode.
If someone already has access to your computer, it d… Continue reading How effective is re-entering your password to enable high-risk functions on your account when autofill is always available?
A few months ago, a popular YouTuber had their account hacked by a virus on his computer. Then, all of his security information was changed in under a minute. I remembered Google sent over 30 emails informing him that suspicious activities… Continue reading Specific rate limit for changing security information
The web app I’m developing makes use of the concepts of "access token" and "refresh token", even though it uses its own auth scheme.
In certain situations, the web app needs to get an "impersonation token" fro… Continue reading Refresh tokens for impersonating user credentials: how to implement them?
We wrote a e-commerce system where we were asked to generate orders based on a format provided to us
The format was extremely simple which was today’s date with total number of orders in the database + 1.
The e-commerce was sent into testi… Continue reading Should order numbers be guessable?