Resource takeover x monkeyuser.com
Missed last available coffee mug?
Watch out, April Fools’ Day!
There are many things, besides the last free mug of course, that can be taken over… You should know examples below.
Read more and check our tips.
User accounts takeover
The crown jewel – taking over user accounts. It’s the best when done massively.
- Facebook allowed a bug that enabled to unlock any user’s account on the developer’s version of the site beta.facebook.com.
We wrote about why the OAuth 2.0 protocol was better omitted in the authentication process. Airbnb and Uber have been painfully convinced of this.
- Airbnb allowed user authentication via OAuth tokens theft.
- An attack using theft of the OAuth access token was performed also against Uber.
This is a new stuff in the hackers’ repository of attacks. The idea is based on a subdomain (e.g. sub.example.com) which points to a second domain (anotherexample.com) through a CNAME DNS record, and this second domain expires.
The attacker can register anotherexample.com again, and thus take over sub.example.com.
As a result, cookies set in the parent domain can be stolen and the preparation of a phishing campaign will be much easier and more effective.
For more info see:
Attackers can even steal resources of your website – by a Cross Site Scripting vulnerability, it is possible to add a malicious script, that will mine crypto while being executed!
Do you remember the shiny new laptop lock that you got to prevent theft of your precious computer? Lock your cup with it and now the evil cleaning lady and your fellow coffee addicts will stay away from your beloved cup.
Subscribe our newsletter and stay in touch with us.
The comics were created in collaboration with monkeyuser.com.