CVE-2020-8236

Nextcloud Server 19.0.1 contains an improper authentication issue where a misconfiguration causes a passwordless WebAuthn PIN to be treated as two-factor authentication, but the PIN is not actually verified. This vulnerability could lead to users believing they have 2FA protection when the system...

CVE-2020-8236

A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the user feel the passwordless WebAuthn is also a two factor verification by asking for the PIN of the passwordless WebAuthn but not verifying it...

Nextcloud Server 19.0.1 Improper Authentication Vulnerability (NC-SA-2020-037)

Nextcloud Server is prone to an improper authentication vulnerability. SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

PT-2020-20047 · Nextcloud +1 · Nextcloud Server +1

Name of the Vulnerable Software and Affected Versions: Nextcloud Server version 19.0.1 Description: The issue arises from a misconfiguration in Nextcloud Server, where the user is incorrectly led to believe that passwordless WebAuthn also serves as two-factor verification. This misconception occu...

PIN for passwordless WebAuthn is asked for but not verified (NC-SA-2020-037)

A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the user feel the passwordless WebAuthn is also a two factor verification by asking for the PIN of the passwordless WebAuthn but not verifying it...

Nextcloud: PIN for passwordless WebAuthn is asked for but not verified

Nextcloud introduced WebAuthn passwordless authentication with version 19. As far as we understand, you assume that your implementation provide two-factor authentication: "The server asking for authentication can request verification of multiple factors, so that a configured key requires the user...

CVE-2020-12423

When the Windows DLL "webauthn.dll" was missing from the Operating System, and a malicious one was placed in a folder in the user's %PATH%, Firefox may have loaded the DLL, leading to arbitrary code execution. Note: This issue only affects the Windows operating system; other operating systems are...

WebAuthn Passwordless Authentication Now Available for Atlassian Products

Atlassian solutions are widely used in the software development industry. Many teams practicing agile software development rely on these applications to manage their projects. Issue-tracking application Jira, Git repository BitBucket, continuous integration and deployment server Bamboo, and team...

Android Users Can Now Log in to Google Services Using Fingerprint

If you're using Chrome on Android, you can now sign-in to your Google account and some of the other Google services by simply using your fingerprint, instead of typing in your password every time. Google is rolling out a new feature, called "local user verification," that allows you to log in to...

Android Gets FIDO2 Certification—Now Supports Secure Passwordless Logins

Great news. If you have already installed the latest update of Google Play Services released earlier today, and your Android device is running Android version 7.0 Nougat or above—Congratulations! Your device is now FIDO2 Certified. Are you thinking… what the heck that actually means? It means,...

Passwords: Here to Stay, Despite Smart Alternatives?

The lowly password is much-maligned as being the weakest link in any company’s security defenses. That’s for good reason: It’s a fact that password reuse, a lack of strong passwords, a failure to change them on a regular basis and other human errors plague the efficacy of this de facto standard f...

Google: Security Keys Neutralized Employee Phishing

Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity. A YubiKey Security Key made by...

Google Patches 34 Browser Bugs in Chrome 67, Adds Spectre Fixes

Google updated its Chrome browser to version 67.0.3396.62 on Tuesday patching 34 bugs and adding support for the credential management API called WebAuthn. The update will be available in the coming days for Windows, Mac and Linux platforms, Google said. Most notably to the browser update are...