DMV.Community

0 posts0 participants0 posts today

Erik van StratenPasskey/password bug: iOS 18.3.1Ook in iOS versie 18.3.1 is de eerder door mij gemelde iCloud KeyChain (*) kwetsbaarheid nog niet gerepareerd (eerder schreef ik hierover, Engelstalig: <a href="https://infosec.exchange/@ErikvanStraten/113821443334366419" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/113821443334366419</a>).(*) Tegenwoordig is dat de app genaamd "Wachtwoorden" (of "Passwords").De kwetsbaarheid bestaat indien:• De eigenaar een "passcode" (pincode of wachtwoord) gebruikt om de iPhone of iPad te ontgrendelen - en er GÉÉN biometrie is geconfigureerd;ofwel:• De gebruiker wel biometrie kan gebruiken om het scherm te ontgrendelen, doch in 'Instellingen' > 'Touch ID en toegangscode' de instelling "Autom. invullen wachtw." is UITgezet.Zie onderstaande screenshots (Engelstalig in <a href="https://infosec.exchange/@ErikvanStraten/113821443334366419" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/113821443334366419</a>). Meer info ziet u door op "Alt" in de plaatjes te drukken.Probleem: iedereen met toegang tot de ontgrendelde iPhone of iPad kan dan, *zonder* opnieuw lokaal te hoeven authenticeren:1) Op elke website inloggen waarvan het user-ID en wachtwoord in iCloud Keychain zijn opgeslagen;2) Met passkeys op enkele specifieke websites inloggen (waaronder <a href="https://account.apple.com" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://account.apple.com</a> en <a href="https://icloud.com" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://icloud.com</a>), namelijk als volgt:a) Open de website; b) Druk op "Inloggen"; c) Druk op de "x" rechts bovenaan de pop-up die verschijnt (in de onderste schermhelft); d) Druk kort in het veld waar om het e-mailadres gevraagd wordt; e) Druk op de knop "gebruik passkey".Risico: uitlenen van een unlocked iDevice (o.a. aan kinderen) maar ook diefstal nadat de passcode is afgekeken. Of als de dief geen passcode heeft, als deze wacht tot de eerstvolgende iOS/iPadOS kwetsbaarheid bekend wordt waarbij de schermontgrendeling omzeild kan worden.Als u ze nog niet gezien heeft, bekijk in elk geval de eerste van de volgende twee video's van Joanna Stern (van de Wall Street Journal): <a href="https://youtube.com/watch?v=QUYODQB_2wQ" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://youtube.com/watch?v=QUYODQB_2wQ</a> <a href="https://youtube.com/watch?v=tCfb9Wizq9Q" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://youtube.com/watch?v=tCfb9Wizq9Q</a><a href="https://infosec.exchange/tags/TouchID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#TouchID</a> <a href="https://infosec.exchange/tags/FaceID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#FaceID</a> <a href="https://infosec.exchange/tags/Passkeys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Passkeys</a> <a href="https://infosec.exchange/tags/iCloudKeychain" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iCloudKeychain</a> <a href="https://infosec.exchange/tags/Passwords" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Passwords</a> <a href="https://infosec.exchange/tags/PadswordsApp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PadswordsApp</a> <a href="https://infosec.exchange/tags/Wachtwoorden" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Wachtwoorden</a> <a href="https://infosec.exchange/tags/WachtwoordenApp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#WachtwoordenApp</a> <a href="https://infosec.exchange/tags/Biometrie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Biometrie</a> <a href="https://infosec.exchange/tags/Passcode" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Passcode</a> <a href="https://infosec.exchange/tags/iOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iOS</a> <a href="https://infosec.exchange/tags/iPadOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iPadOS</a> <a href="https://infosec.exchange/tags/iPhone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iPhone</a> <a href="https://infosec.exchange/tags/iPad" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iPad</a> <a href="https://infosec.exchange/tags/iDevice" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iDevice</a> <a href="https://infosec.exchange/tags/ScreenLock" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ScreenLock</a> <a href="https://infosec.exchange/tags/ScreenUnlock" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ScreenUnlock</a> <a href="https://infosec.exchange/tags/SchermVergrendeling" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SchermVergrendeling</a> <a href="https://infosec.exchange/tags/SchermOntgrendeling" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SchermOntgrendeling</a> <a href="https://infosec.exchange/tags/SchermOntgrendelCode" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SchermOntgrendelCode</a> <a href="https://infosec.exchange/tags/PINcode" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PINcode</a> <a href="https://infosec.exchange/tags/Kwetsbaarheid" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Kwetsbaarheid</a> <a href="https://infosec.exchange/tags/Vulnerability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Vulnerability</a> <a href="https://infosec.exchange/tags/OngeautoriseerdeToegang" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OngeautoriseerdeToegang</a> <a href="https://infosec.exchange/tags/IdentiteitsFraude" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#IdentiteitsFraude</a> <a href="https://infosec.exchange/tags/Inloggen" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Inloggen</a> <a href="https://infosec.exchange/tags/Stern" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Stern</a> <a href="https://infosec.exchange/tags/JoannaStern" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#JoannaStern</a> <a href="https://infosec.exchange/tags/WSJ" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#WSJ</a>

PrivacyDigestIndicted <a href="https://mas.to/tags/NYC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NYC</a> mayor to <a href="https://mas.to/tags/FBI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#FBI</a>: I, uh, forgot my phone’s <a href="https://mas.to/tags/passcode" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#passcode</a> <a href="https://arstechnica.com/?p=2053030" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://arstechnica.com/?p=2053030</a>

Erik van Straten<a href="https://retro.pizza/@textualdeviance" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@textualdeviance</a> wrote, among other things:« Sudden revolutions come with obscenely high body counts of innocent civilians. »That is not necessarily true, in for example the following cases:🔸 <a href="https://en.wikipedia.org/wiki/Velvet_Revolution" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://en.wikipedia.org/wiki/Velvet_Revolution</a>🔸 A revolution that STOPS killing must take place <a href="https://infosec.exchange/tags/NOW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NOW</a>. The anihilation of Palestinians is simply unacceptable, in particular because western countries condone, support or even encourage it. At some point the governments of the USA, NL and others must stop following orders from their Zionist sponsors, in order to not make them EVEN MORE complicit to genocide.🔸 Personally I'm "fighting" for a safer internet; fixing tech does not have to involve bloodshed at all (although big tech and leeches like <a href="https://safer.io/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://safer.io/</a> will lose income). Such as:• By insisting on a system where internet users can distinguish betwee fake and authentic websites (see <a href="https://infosec.exchange/@ErikvanStraten/113079966331873386" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/113079966331873386</a>);• By providing strong arguments why "Chatcontrol" (governments scanning every smartphone looking for Child Sexual Abuse Material - and what not) will not protect a single child - on the contrary (<a href="https://infosec.exchange/@ErikvanStraten/113075518670257012" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/113075518670257012</a>; chatcontrol is *not* just a privacy risk);• By warning for passkeys (<a href="https://infosec.exchange/@ErikvanStraten/113058944497262936" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/113058944497262936</a>) and suggesting better alternatives;• By warning for risks such as when unlocking the screen of an iPhone/iPad with a PIN (<a href="https://infosec.exchange/@ErikvanStraten/113053761440539290" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/113053761440539290</a>);• By warning for security measures that are easily bypassed, such as 2FA/MFA (using SMS, voice, or TOTP "Authenticator" apps including Microsoft's using "number matching");• Et cetera.<a href="https://infosec.exchange/@0xabad1dea" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@0xabad1dea</a> <a href="https://infosec.exchange/tags/AIPAC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AIPAC</a> <a href="https://infosec.exchange/tags/CIDI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CIDI</a> <a href="https://infosec.exchange/tags/Gaza" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Gaza</a> <a href="https://infosec.exchange/tags/Westbank" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Westbank</a> <a href="https://infosec.exchange/tags/EthnicCleansing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EthnicCleansing</a> <a href="https://infosec.exchange/tags/Genocide" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Genocide</a> <a href="https://infosec.exchange/tags/Palestinians" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Palestinians</a> <a href="https://infosec.exchange/tags/BigTech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BigTech</a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DV</a> <a href="https://infosec.exchange/tags/Fake" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Fake</a> <a href="https://infosec.exchange/tags/Real" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Real</a> <a href="https://infosec.exchange/tags/Authentic" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Authentic</a> <a href="https://infosec.exchange/tags/Impostors" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Impostors</a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Authentication</a> <a href="https://infosec.exchange/tags/CyberCrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberCrime</a> <a href="https://infosec.exchange/tags/eID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eID</a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EDIW</a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EUDIW</a> <a href="https://infosec.exchange/tags/ChatControl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ChatControl</a> <a href="https://infosec.exchange/tags/CSS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CSS</a> <a href="https://infosec.exchange/tags/CSAM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CSAM</a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#2FA</a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MFA</a> <a href="https://infosec.exchange/tags/NumberMatching" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NumberMatching</a> <a href="https://infosec.exchange/tags/PhaaS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PhaaS</a> <a href="https://infosec.exchange/tags/Evilginx2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Evilginx2</a> <a href="https://infosec.exchange/tags/HSTS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HSTS</a> <a href="https://infosec.exchange/tags/httpvshttps" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#httpvshttps</a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Certificates</a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DV</a> <a href="https://infosec.exchange/tags/OV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OV</a> <a href="https://infosec.exchange/tags/EV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EV</a> <a href="https://infosec.exchange/tags/QWAC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#QWAC</a> <a href="https://infosec.exchange/tags/passcode" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#passcode</a> <a href="https://infosec.exchange/tags/iPhone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iPhone</a> <a href="https://infosec.exchange/tags/iPad" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iPad</a> <a href="https://infosec.exchange/tags/Android" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Android</a> <a href="https://infosec.exchange/tags/iOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iOS</a> <a href="https://infosec.exchange/tags/iPadOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iPadOS</a>

☮ ♥ ♬ 🧑‍💻“Australian border force officers obtained passcodes to the devices of almost 10,000 people in the past two years, new data obtained by Guardian <a href="https://ioc.exchange/tags/Australia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Australia</a> reveals, with most people who were ordered to hand over their <a href="https://ioc.exchange/tags/phones" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#phones</a> willingly providing the <a href="https://ioc.exchange/tags/passcode" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#passcode</a>.”<a href="https://ioc.exchange/tags/ABF" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ABF</a> / <a href="https://ioc.exchange/tags/data" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#data</a> / <a href="https://ioc.exchange/tags/seizures" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#seizures</a> <<a href="https://theguardian.com/australia-news/article/2024/jun/11/australian-border-force-abf-searching-phones-travellers-data" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://theguardian.com/australia-news/article/2024/jun/11/australian-border-force-abf-searching-phones-travellers-data</a>>

Erik van Straten<a href="https://hachyderm.io/@rmondello" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@rmondello</a> Condition: on iOS or iPadOS the user has disabled biometric screen unlock (they must use their passcode to unlock the screen).(Alternatively, biometrics are enabled, but in "Settings" —> "Touch ID & Passcode" the user has turned OFF "Password AutoFill").Problem: when they login to a website using credentials from their iCloud keychain:• In case of a password, they will NOT be asked to enter their passcode to access their iCloud keychain;• In case of a passkey, not in all cases they are required to enter their passcode to access their iCloud keychain.The latter happens when using "conditional UI", i.e. by tapping in a user-ID field on a website that is unaware of this Apple bug (such as <a href="https://webauthn.io" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://webauthn.io</a>).Risk: any other user of the device (such as child, not knowing the passcode), after the device has been unlocked by the owner, may be able to sign in to websites (impersonating the owner) without providing *any* authentication.More info: <a href="https://infosec.exchange/@ErikvanStraten/112015305786620807" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/112015305786620807</a><a href="https://infosec.exchange/tags/Passkeys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Passkeys</a> <a href="https://infosec.exchange/tags/Risks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Risks</a> <a href="https://infosec.exchange/tags/Passcode" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Passcode</a> <a href="https://infosec.exchange/tags/iOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iOS</a> <a href="https://infosec.exchange/tags/iPadOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iPadOS</a> <a href="https://infosec.exchange/tags/Apple" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Apple</a> <a href="https://infosec.exchange/tags/Passkey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Passkey</a> <a href="https://infosec.exchange/tags/conditionalUI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#conditionalUI</a>

Recent searches

Search options

Administered by:

Server stats:

#passcode