Over 5,300 GitLab servers exposed to zero-click account takeover attacks

www.bleepingcomputer.com

356

Over 5,300 GitLab servers exposed to zero-click account takeover attacks

www.bleepingcomputer.com

Nemeski@lemm.ee to

Technology@lemmy.worldEnglish · 1 year ago

Chat

Baines@lemmy.world
link
fedilink
English
arrow-up
11·
edit-2
1 year ago
don’t even have to lose the device

phone is the most common, plenty of ways in from mitm attacks (insecure wifi for example) to social eng the account phone provider

guess you could go the dongle route but if it was super common thieves would just target them
- asdfasdfasdf@lemmy.world
  link
  fedilink
  English
  arrow-up
  14·
  1 year ago
  I think the question is less about getting hacked and more about getting permanently locked out of your account.
  - Baines@lemmy.world
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    1·
    1 year ago
    sure but it shouldn’t be, any good process will have some recovery method
    
    course that can be a vulnerability as well
    
    thank god recovery questions are dead
- kautau@lemmy.world
  link
  fedilink
  English
  arrow-up
  7·
  1 year ago
  The idea with passkeys though is that it’s like a dongle, not just your phone number. It’s not an SMS code or link, it uses the cryptography hardware of your phone to authenticate. But the question of “what happens if I lose my phone” still persists.
  
  https://fidoalliance.org/passkeys/
  
  https://developer.apple.com/passkeys/
  
  https://blog.google/technology/safety-security/the-beginning-of-the-end-of-the-password/amp/
  - Baines@lemmy.world
    link
    fedilink
    English
    arrow-up
    4·
    1 year ago
    I mean it’s just 2fa without the password so same issues with what I described
    
    https://www.csoonline.com/article/570795/how-to-hack-2fa.html
    
    just the first result on google
    - GigglyBobble@kbin.social
      link
      fedilink
      arrow-up
      1·
      edit-2
      1 year ago
      “5 ways to hack 2FA” is pretty click-baity though. All of those attacks are either not exclusively related to 2FA or could target another component. If you can just bypass security altogether, instead of questioning 2FA, you should consider ditching that service/site.
      
      All except point 1, that is. But everyone should know by now that 2FA by SMS is insecure.

Technology@lemmy.world

technology@lemmy.world

Create a post

You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !technology@lemmy.world

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

Visibility: Public

This community can be federated to other instances and be posted/commented in by their users.

3.3K users / day
9.63K users / week
18.1K users / month
37.7K users / 6 months
1 local subscriber
69.9K subscribers
11.4K Posts
440K Comments
Modlog