Veganism Social

Erik van Straten🌊Please boost, create awareness!🌊<a href="https://infosec.exchange/@webhat" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@webhat</a> wrote: « passwordless works using biometrics to unlock the trusted key store »It *may* require biometrics, or it may not.🤳 For example: on my iPhone, if I REMOVE my stored fingerprint data, then:🔒 I'll *always* have to enter my *passcode* (screen unlock password) when I *CREATE* a new passkey, on any website that supports passkeys;🚨 HOWEVER: I *NEVER* have to enter my passcode (or I can bypass any request) when *USING* a passkey to *LOG IN* on to at least the following websites: • <a href="https://idmsa.apple.com" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://idmsa.apple.com</a> • <a href="https://webauthn.io" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://webauthn.io</a> • <a href="https://passkeys-demo.appspot.com" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://passkeys-demo.appspot.com</a> • <a href="https://passkeys.io" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://passkeys.io</a> • <a href="https://webauthn-conditional-ui-demo.glitch.me" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://webauthn-conditional-ui-demo.glitch.me</a>🚨 Similarly, I *always* have to enter my passcode when I *add* a password-based-credentials-record to iCloud Keychain, but *never* when i ask iCloud Keychain to autofill such credentials to log in to *any* website.💣How is this NOT a vulnerability?💣🔧 Note that I've not found *any* configuration setting that (when *not* having configured and using biometrics at all) would force me to *always* authenticate locally to have iCloud Keychain autofill credentials in order to log in to a website.🔓 This is 0FA if someone, who you do not fully trust (e.g. a thief), has or obtains access to your unlocked iPhone or iPad.💥 IMO this is a huge risk, particular after a miscreant observes you entering your passcode and then steals your iDevice, such as clearly visualized by Joanna Stern (of the Wall Street Journal) in <a href="https://youtu.be/QUYODQB_2wQ" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://youtu.be/QUYODQB_2wQ</a> (follow-up: <a href="https://youtu.be/tCfb9Wizq9Q" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://youtu.be/tCfb9Wizq9Q</a>). It is a GAPING SECURITY HOLE because most users, in particular those who do NOT use biometrics (many elderly people), are not aware of the risks.😱 And IMO it's *unbelievable* that Apple denies that this is a vulnerability (note that more than one vulnerability may be involved).🔑 <a href="https://hachyderm.io/@rmondello" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@rmondello</a> : see <a href="https://security.apple.com/reports/OE19476493072" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://security.apple.com/reports/OE19476493072</a> for details.⁉️ What else can I do to bring this to people's attention? Please complain to Apple that they insufficiently protect unaware iDevice users!<a href="https://infosec.exchange/tags/ItsByDesign" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ItsByDesign</a> <a href="https://infosec.exchange/tags/ItsSTUPIDITYByDesign" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ItsSTUPIDITYByDesign</a> <a href="https://infosec.exchange/tags/0FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#0FA</a> <a href="https://infosec.exchange/tags/1FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#1FA</a> <a href="https://infosec.exchange/tags/iCloudKeychain" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iCloudKeychain</a> <a href="https://infosec.exchange/tags/Apple" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Apple</a> <a href="https://infosec.exchange/tags/iDevices" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iDevices</a> <a href="https://infosec.exchange/tags/iPhone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iPhone</a> <a href="https://infosec.exchange/tags/iPad" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iPad</a> <a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://infosec.exchange/tags/GapingSecurityHole" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#GapingSecurityHole</a> <a href="https://infosec.exchange/tags/Ignorant" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Ignorant</a> <a href="https://infosec.exchange/tags/Ignorance" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Ignorance</a> <a href="https://infosec.exchange/tags/Convenience" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Convenience</a> <a href="https://infosec.exchange/tags/ConvenienceOverSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ConvenienceOverSecurity</a> <a href="https://infosec.exchange/tags/ConvenienceVsSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ConvenienceVsSecurity</a>

Recent searches

Search options

Administered by:

Server stats:

#itsstupiditybydesign