Erik van Straten<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@thomasbosboom" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>thomasbosboom</span></a></span> : onder Android is het risico niet denkbeeldig dat je al jouw passkeys kwijtraakt of dat ze niet syncroniseren naar een ander toestel.</p><p>Onder iOS en iPadOS zijn er omstandigheden waarbij iemand, die een ontgrendelde iPhond of iPad in handen heeft (zoals een dief die zo'n apparaat uit jouw handen grist op het moment dat je het gebruikt), met 0FA van jouw iCloud wachtwoorden en passkeys gebruik kan maken.</p><p><a href="https://infosec.exchange/@ErikvanStraten/113820358011090612" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113820358011090612</span></a></p><p>Allemaal "wontfix" door Apple/Google en het Chromium team.</p><p><span class="h-card" translate="no"><a href="https://nrw.social/@roman78" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>roman78</span></a></span> </p><p><a href="https://infosec.exchange/tags/Passkeys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passkeys</span></a> <a href="https://infosec.exchange/tags/Vulns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Vulns</span></a> <a href="https://infosec.exchange/tags/Bugs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Bugs</span></a> <a href="https://infosec.exchange/tags/AccountLockOut" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AccountLockOut</span></a> <a href="https://infosec.exchange/tags/0FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>0FA</span></a> <a href="https://infosec.exchange/tags/ZFA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ZFA</span></a> <a href="https://infosec.exchange/tags/Vulnerabilities" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Vulnerabilities</span></a> <a href="https://infosec.exchange/tags/iCloudKeyChain" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iCloudKeyChain</span></a> <a href="https://infosec.exchange/tags/Wachtwoorden" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Wachtwoorden</span></a> <a href="https://infosec.exchange/tags/Biometrie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Biometrie</span></a> <a href="https://infosec.exchange/tags/SyncErrors" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SyncErrors</span></a> <a href="https://infosec.exchange/tags/Welkom01" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Welkom01</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.
Administered by:
Server stats:
290active users
shakedown.social: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.4
#0fa
0 posts · 0 participants · 0 posts today
Erik van Straten<p><span class="h-card" translate="no"><a href="https://hachyderm.io/@rmondello" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>rmondello</span></a></span> : in fact, I did.</p><p><a href="https://infosec.exchange/@ErikvanStraten/113832302818012852" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113832302818012852</span></a></p><p><a href="https://infosec.exchange/tags/Passkeys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passkeys</span></a> <a href="https://infosec.exchange/tags/NoCredsNeeded" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NoCredsNeeded</span></a> <a href="https://infosec.exchange/tags/0FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>0FA</span></a></p>
Erik van Straten<p>🌊Please boost, create awareness!🌊</p><p><span class="h-card" translate="no"><a href="https://infosec.exchange/@webhat" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>webhat</span></a></span> wrote: « passwordless works using biometrics to unlock the trusted key store »</p><p>It *may* require biometrics, or it may not.</p><p>🤳 For example: on my iPhone, if I REMOVE my stored fingerprint data, then:</p><p>🔒 I'll *always* have to enter my *passcode* (screen unlock password) when I *CREATE* a new passkey, on any website that supports passkeys;</p><p>🚨 HOWEVER: I *NEVER* have to enter my passcode (or I can bypass any request) when *USING* a passkey to *LOG IN* on to at least the following websites:<br>• <a href="https://idmsa.apple.com" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">idmsa.apple.com</span><span class="invisible"></span></a><br>• <a href="https://webauthn.io" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">webauthn.io</span><span class="invisible"></span></a><br>• <a href="https://passkeys-demo.appspot.com" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">passkeys-demo.appspot.com</span><span class="invisible"></span></a><br>• <a href="https://passkeys.io" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">passkeys.io</span><span class="invisible"></span></a><br>• <a href="https://webauthn-conditional-ui-demo.glitch.me" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">webauthn-conditional-ui-demo.g</span><span class="invisible">litch.me</span></a></p><p>🚨 Similarly, I *always* have to enter my passcode when I *add* a password-based-credentials-record to iCloud Keychain, but *never* when i ask iCloud Keychain to autofill such credentials to log in to *any* website.</p><p>💣How is this NOT a vulnerability?💣</p><p>🔧 Note that I've not found *any* configuration setting that (when *not* having configured and using biometrics at all) would force me to *always* authenticate locally to have iCloud Keychain autofill credentials in order to log in to a website.</p><p>🔓 This is 0FA if someone, who you do not fully trust (e.g. a thief), has or obtains access to your unlocked iPhone or iPad.</p><p>💥 IMO this is a huge risk, particular after a miscreant observes you entering your passcode and then steals your iDevice, such as clearly visualized by Joanna Stern (of the Wall Street Journal) in <a href="https://youtu.be/QUYODQB_2wQ" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">youtu.be/QUYODQB_2wQ</span><span class="invisible"></span></a> (follow-up: <a href="https://youtu.be/tCfb9Wizq9Q" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">youtu.be/tCfb9Wizq9Q</span><span class="invisible"></span></a>). It is a GAPING SECURITY HOLE because most users, in particular those who do NOT use biometrics (many elderly people), are not aware of the risks.</p><p>😱 And IMO it's *unbelievable* that Apple denies that this is a vulnerability (note that more than one vulnerability may be involved).</p><p>🔑 <span class="h-card" translate="no"><a href="https://hachyderm.io/@rmondello" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>rmondello</span></a></span> : see <a href="https://security.apple.com/reports/OE19476493072" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">security.apple.com/reports/OE1</span><span class="invisible">9476493072</span></a> for details.</p><p>⁉️ What else can I do to bring this to people's attention? Please complain to Apple that they insufficiently protect unaware iDevice users!</p><p><a href="https://infosec.exchange/tags/ItsByDesign" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ItsByDesign</span></a> <a href="https://infosec.exchange/tags/ItsSTUPIDITYByDesign" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ItsSTUPIDITYByDesign</span></a> <a href="https://infosec.exchange/tags/0FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>0FA</span></a> <a href="https://infosec.exchange/tags/1FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>1FA</span></a> <a href="https://infosec.exchange/tags/iCloudKeychain" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iCloudKeychain</span></a> <a href="https://infosec.exchange/tags/Apple" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Apple</span></a> <a href="https://infosec.exchange/tags/iDevices" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iDevices</span></a> <a href="https://infosec.exchange/tags/iPhone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iPhone</span></a> <a href="https://infosec.exchange/tags/iPad" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iPad</span></a> <a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://infosec.exchange/tags/GapingSecurityHole" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GapingSecurityHole</span></a> <a href="https://infosec.exchange/tags/Ignorant" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Ignorant</span></a> <a href="https://infosec.exchange/tags/Ignorance" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Ignorance</span></a> <a href="https://infosec.exchange/tags/Convenience" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Convenience</span></a> <a href="https://infosec.exchange/tags/ConvenienceOverSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ConvenienceOverSecurity</span></a> <a href="https://infosec.exchange/tags/ConvenienceVsSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ConvenienceVsSecurity</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload