CVE-2023-50123

The number of attempts to bring the Hozard Alarm system alarmsystemen v1.0 to a disarmed state is not limited. This could allow an attacker to perform a brute force on the SMS authentication, to bring the alarm system to a disarmed state...

EUVD-2022-28658

Malicious code in bioql PyPI...

Authentication flaw

The number of attempts to bring the Hozard Alarm system alarmsystemen v1.0 to a disarmed state is not limited. This could allow an attacker to perform a brute force on the SMS authentication, to bring the alarm system to a disarmed state...

CVE-2023-50123

The number of attempts to bring the Hozard Alarm system alarmsystemen v1.0 to a disarmed state is not limited. This could allow an attacker to perform a brute force on the SMS authentication, to bring the alarm system to a disarmed state...

CVE-2023-50123

The CVE-2023-50123 entry concerns the Hozard Alarm system v1.0, where there is no limit on attempts to disarm via SMS authentication. The connected documents confirm the affected product and the root cause (unbounded attempt count enabling brute force to disarm). The impact is high (confidentiali...

CVE-2023-50123

The number of attempts to bring the Hozard Alarm system alarmsystemen v1.0 to a disarmed state is not limited. This could allow an attacker to perform a brute force on the SMS authentication, to bring the alarm system to a disarmed state...

Failures in Twitter’s Two-Factor Authentication System

Twitter is having intermittent problems with its two-factor authentication system: Not all users are having problems receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may not have reason to test the...

PT-2022-20949 · Devolutions · Devolutions Remote Desktop Manager

Name of the Vulnerable Software and Affected Versions: Devolutions Remote Desktop Manager versions 2022.2.14 and prior versions Description: The issue is related to an Improper Access Control vulnerability in the Duo SMS two-factor authentication of Devolutions Remote Desktop Manager. This...

CVE-2022-23722

When a password reset mechanism is configured to use the Authentication API with an Authentication Policy, email One-Time Password, PingID or SMS authentication, an existing user can reset another existing user’s password...

CVE-2022-23722

PingFederate Password Reset vulnerability (CVE-2022-23722): when the password-reset mechanism uses the Authentication API with an Authentication Policy, email OTP, PingID, or SMS, an existing user can reset another user’s password. The connected sources describe the issue and its impact but do no...

CVE-2022-23722 PingFederate Password Reset via Authentication API Mishandling

When a password reset mechanism is configured to use the Authentication API with an Authentication Policy, email One-Time Password, PingID or SMS authentication, an existing user can reset another existing user’s password...

Ping Identity PingFederate授权问题漏洞

Ping Identity PingFederate is a flagship software-based federation server in the United States. for identity management. Ping Identity PingFederate has a security vulnerability that can be exploited by an existing user to reset the password of another existing user when the password reset mechani...

A week in security (June 28 – July 4)

Last week on Malwarebytes Labs: Is it Game Over for VR Advergaming? Lil’ skimmer, the Magecart impersonator What is the WireGuard VPN protocol? Binance receives the ban hammer from UK’s FCA Fired by algorithm: The future’s here and it’s a robot wearing a white collar Second colossal Linkedin...

SMS authentication code includes ad: a very bad idea

SMS authentication codes are back in the news, and the word Id use to summarise their reappearance is "embattled." I can still remember a time where two-factor authentication 2FA, authentication grids, regional lockouts, Yubikeys, and offline authentication apps simply did not exist. And if they...

Zenly: Account Takeover via SMS Authentication Flow

Summary: During the authentication flow, an SMS is sent to the user in order to validate the session and proceed to the user account. The way Zenly API handles this flow is by: 1. Calling the /SessionCreate endpoint with the mobile phone number of the user. 2. A session for the user is created an...

How far have we come? The evolution of securing identities

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Troy Hunt, founder of Have I Been Pwned,...

Logic Flaw Vulnerability in JEECG-BOOT System of Beijing Guo Torch Information Technology Co.

Jeecg-Boot is a code generator based rapid development platform that can be used to develop backend management systems such as ERP, CRM and applets. A logic flaw exists in the JEECG-BOOT system of Beijing Guo Torch Information Technology Co., Ltd, which can be exploited by an attacker to modify t...

Mail.ru: Account TakeOver through password recovery at am.ru

Insufficient protection allowed account takeover at am.ru via account recovery code bruteforcing Common flaws of SMS auth: https://blog.deteact.com/common-flaws-of-sms-auth/...

Reddit Breach Stems from SMS Two-Factor Authentication Breakdown

Reddit confirmed Wednesday that a hacker broke into its systems and has accessed user data – including email addresses and passwords for accounts. The company said in a post today that the compromise occurred between June 14 and June 18, and it detected the incident on June 19. “We learned that a...

Tatanga Trojan Mixes MitB with Social Engineering

Cybercriminals are using the Tatanga trojan to carry out a complicated man-in-the-browser MitB attack that enables the circumvention of SMS authentication for financial transactions, according to Trusteer’s Amit Klein. The attack is targeting the customers of a number of banks in Germany. How man...