Ive also seen some pretty terrible implementations that don’t even allow end users to manage enrolled devices; so if someone steals your authenticator they have access to your account indefinitely.
Personally I like the benefits passkeys offer but some work still needs to be done around management of enrolled devices
>so if someone steals your authenticator they have access to your account indefinitely.
If a user's device is compromised, an attacker can also install a keylogger and steal all their passwords, or better yet steal all their cookies/sessions.
Once a device is compromised, it doesn't really matter what type of credential you're using to authenticate/login with.
But also, if device compromise is what it takes to steal a user's credential, then that would be amazing becuse it would mean that the goal posts have been moved dramatically in terms of attacker effort. Today, attackers only have to focus on either hacking/attacking 1 service or spin up a single phishing page, and they can mount attacks targeting hundreds of thousands of users with minimal effort.
If passkeys mean that all of a sudden the attackers need to try to compromise hundreds of thousands of unique endpoints/devices, then the amount of resources and effort they need to expend to compromise the same number of users will be raised astronomically. That's a win.
Don’t necessarily agree that selling hacks is ethical, but if I already spent time figuring out how to exploit a system - reporting it to the relevant place is charity. Ill do that, but Im definitely not spending time trying to fix the code if the solution isn’t immediately obvious. ++ so if you have to fight to get the bug recognised in the first place
There have been cases of applications not performing chain validation - see the paper Spinner: semi automatic detection of pinning without hostname verification (in particular page 8)
While it may be paranoid, there are still risks involved with connecting a device to an untrusted network
There have been cases? I see this kind of stuff all the time. I once saw an app that had a popup warning me that the TLS cert is wrong but still let me connect...
Haha thats terrifying! I was just trying to point out that assuming that apps do this correctly is a bad idea; but my experience echoes yours, its a common mistake - even just browsing stack overflow people give some pretty gnarly advice.
Unless I’ve looked at the app myself i wouldnt touch public wifi - even then there are other risks to consider
A vpn (that you trust) would certainly help a little, but in the above case the connection can still be mitmed from the vpn server to the application backend
Edit: I would for my personal devices, unless I knew the app did something horrendous in advance- but I guess the core problem is you really have no way of knowing unless you check the app yourself or there is a known and reported vulnerability.
Interesting how tastes can vary, I’ve not used visual studio as much but always dread it when I’m forced to. CLion’s debugger has been fine for my uses, although the best debugging experience I’ve ever had was emacs and gdb many windows mode; Worth noting those were for some fairly simple C programs. Radare is also really powerful once you are used to the keybindings. Colleagues tell me cutter is decent as well!
Pinning is very complex, there is always the chance that you forget to update the pins and perform a denial of service against your own users. At the point where the device itself is compromised, you can’t really assert to anything. Furthermore, there is always the risk that your developers implement pinning incorrectly and introduce a chain validation failure.
Lots of apps use the anticheat/obfuscation mechanisms added by mobile apps are also trivial to bypass using instrumentation - ie frida codeshare. I know you aren’t implying that people should use client side controls to protect an app running on a device and an environment that they control, but in my experience even some technical folk will try and to do this
Personally I like the benefits passkeys offer but some work still needs to be done around management of enrolled devices
reply