Resource takeover x monkeyuser.com

monkey-user-resource-takeover

 

Missed last available coffee mug?
Watch out, April Fools’ Day!

 

There are many things, besides the last free mug of course, that can be taken over… You should know examples below.

 

 

Don’t let anyone make a fool out of you, not only on April Fools’ Day.
Make sure that the applications you create are secure. Download our free Mobile Application Security Guide

 

Read more and check our tips.

 

 

User accounts takeover

The crown jewel – taking over user accounts. It’s the best when done massively.

 

  • Facebook allowed a bug that enabled to unlock any user’s account on the developer’s version of the site beta.facebook.com.

 

We wrote about why the OAuth 2.0 protocol was better omitted in the authentication process. Airbnb and Uber have been painfully convinced of this.

 

 

  • An attack using theft of the OAuth access token was performed also against Uber.

 

 

Subdomain takeover

This is a new stuff in the hackers’ repository of attacks. The idea is based on a subdomain (e.g. sub.example.com) which points to a second domain (anotherexample.com) through a CNAME DNS record, and this second domain expires.

 

The attacker can register anotherexample.com again, and thus take over sub.example.com.

As a result, cookies set in the parent domain can be stolen and the preparation of a phishing campaign will be much easier and more effective.

 

For more info see:

A Guide To Subdomain Takeovers

Subdomain Takeover: Basics

 

 

Cryptojacking

Attackers can even steal resources of your website – by a Cross Site Scripting vulnerability, it is possible to add a malicious script, that will mine crypto while being executed!

 

 

Stay alert not only on April Fools’ Day:

  • Do a security assessment of your application to check if user accounts are protected properly.
  • If you have multiple subdomains, you can use existing tools to check if those domains can be taken.
  • Monitor your computer performance, and close unused tabs in a browser once in a while.

 

Do you remember the shiny new laptop lock that you got to prevent theft of your precious computer? Lock your cup with it and now the evil cleaning lady and your fellow coffee addicts will stay away from your beloved cup.

 

Subscribe our newsletter and stay in touch with us.

 

Follow us on Twitter | Medium | Facebook | LinkedIn | GitHub

 

The comics were created in collaboration with monkeyuser.com.

Stay tuned!

  • Articles and free security guides
  • Reports
  • Presentations and news from conferences around the world
Providing personal data is voluntary. We will send the newsletter until the consent is withdrawn (You can withdraw your consent at any time). Your data will be processed for a period specified in the Privacy Policy available at the following URL.
The Data Controller is SecuRing SJ with the registered office at ul. Kalwaryjska 65/6, 30-504 Kraków. I have the right to withdraw my consent at any time (by sending an e-mail to the address info@SecuRing.pl or by phone: +48 (12) 425 25 75). I have the right to access, rectify, erase or limit the processing of my personal data, the right to object, the right to file a complaint with the supervisory authority and right to transfer data. The legal basis for the processing of personal data is Article 6 (1) (a) of the General Data Protection Regulation (GDPR).
The Data Controller uses various IT solutions that allow for more efficient communication and cooperates with entities supporting it in its business and IT processes (i.e. these companies are data recipients/processors). Data are not transferred outside the European Economic Area. These companies have signed appropriate contracts for entrustment of personal data processing.
Thank you for subscribing.
Something went wrong.
Please contact us by phone.