As businesses around the world have shifted their digital infrastructure over the last decade from self-hosted servers to the cloud, they’ve benefitted from the standardized, built-in security features of major cloud providers like Microsoft. But with so much riding on these systems, there can be potentially disastrous consequences at a massive scale if something goes wrong. Case in point: Security researcher Dirk-jan Mollema recently stumbled upon a pair of vulnerabilities in Microsoft Azure’s identity and access management platform that could have been exploited for a potentially cataclysmic takeover of all Azure customer accounts.

Known as Entra ID, the system stores each Azure cloud customer’s user identities, sign-in access controls, applications, and subscription management tools. Mollema has studied Entra ID security in depth and published multiple studies about weaknesses in the system, which was formerly known as Azure Active Directory. But while preparing to present at the Black Hat security conference in Las Vegas in July, Mollema discovered two vulnerabilities that he realized could be used to gain global administrator privileges—essentially god mode—and compromise every Entra ID directory, or what is known as a “tenant.” Mollema says that this would have exposed nearly every Entra ID tenant in the world other than, perhaps, government cloud infrastructure.

“I was just staring at my screen. I was like, ‘No, this shouldn’t really happen,’” says Mollema, who runs the Dutch cybersecurity company Outsider Security and specializes in cloud security. “It was quite bad. As bad as it gets, I would say.”

“From my own tenants—my test tenant or even a trial tenant—you could request these tokens and you could impersonate basically anybody else in anybody else’s tenant,” Mollema adds. “That means you could modify other people's configuration, create new and admin users in that tenant, and do anything you would like.”

Given the seriousness of the vulnerability, Mollema disclosed his findings to the Microsoft Security Response Center on July 14, the same day that he discovered the flaws. Microsoft started investigating the findings that day and issued a fix globally on July 17. The company confirmed to Mollema that the issue was fixed by July 23 and implemented extra measures in August. Microsoft issued a CVE for the vulnerability on September 4.

“We mitigated the newly identified issue quickly, and accelerated the remediation work underway to decommission this legacy protocol usage, as part of our Secure Future Initiative,” Tom Gallagher, Microsoft’s Security Response Center vice president of engineering, told WIRED in a statement. “We implemented a code change within the vulnerable validation logic, tested the fix, and applied it across our cloud ecosystem.”

Gallagher says that Microsoft found “no evidence of abuse” of the vulnerability during its investigation.

Both vulnerabilities relate to legacy systems still functioning within Entra ID. The first involves a type of Azure authentication token Mollema discovered known as Actor Tokens that are issued by an obscure Azure mechanism called the “Access Control Service.” Actor Tokens have some special system properties that Mollema realized could be useful to an attacker when combined with another vulnerability. The other bug was a major flaw in a historic Azure Active Directory application programming interface known as “Graph” that was used to facilitate access to data stored in Microsoft 365. Microsoft is in the process of retiring Azure Active Directory Graph and transitioning users to its successor, Microsoft Graph, which is designed for Entra ID. The flaw was related to a failure by Azure AD Graph to properly validate which Azure tenant was making an access request, which could be manipulated so the API would accept an Actor Token from a different tenant that should have been rejected.

“Microsoft built security controls around identity like conditional access and logs, but this internal impression token mechanism bypasses them all,” says Michael Bargury, the CTO at security firm Zenity. “This is the most impactful vulnerability you can find in an identity provider, effectively allowing full compromise of any tenant of any customer.”

If the vulnerability had been discovered by, or fallen into the hands of, malicious hackers, the fallout could have been devastating.

“We don't need to guess what the impact may have been; we saw two years ago what happened when Storm-0558 compromised a signing key that allowed them to log in as any user on any tenant,” Bargury says.

While the specific technical details are different, Microsoft revealed in July 2023 that the Chinese cyber espionage group known as Storm-0558 had stolen a cryptographic key that allowed them to generate authentication tokens and access cloud-based Outlook email systems, including those belonging to US government departments.

Conducted over the course of several months, a Microsoft postmortem on the Storm-0558 attack revealed several errors that led to the Chinese group slipping past cloud defenses. The security incident was one of a string of Microsoft issues around that time. These motivated the company to launch its “Secure Future Initiative,” which expanded protections for cloud security systems and set more aggressive goals for responding to vulnerability disclosures and issuing patches.

Mollema says that Microsoft was extremely responsive about his findings and seemed to grasp their urgency. But he emphasizes that his findings could have allowed malicious hackers to go even farther than they did in the 2023 incident.

“With the vulnerability, you could just add yourself as the highest privileged admin in the tenant, so then you have full access,” Mollema says. Any Microsoft service “that you use EntraID to sign into, whether that be Azure, whether that be SharePoint, whether that be Exchange—that could have been compromised with this.”

This story originally appeared on wired.com.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Sunday 21 September 2025 at 3:04 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

The post from angrycatmeowmeow showed a photo of their Samsung smart refrigerator's cover screen, which was notifying them of an update. The on-screen text explained that after they update, they will be getting ads on the Cover screen for the Weather, Color, and Daily Board themes. The only way to avoid them, the notice stated, is to use the Art and Gallery themes, which will continue to be ad-free.

When Android Authority reached out to Samsung for clarification on the matter, the company responded that it is "committed to innovation and enhancing everyday value" and confirmed that the ads are part of a "pilot program" for certain Family Hub refrigerators in the United States. Ads will appear only when the screen is idle.

Samsung is committed to innovation and enhancing every day value for our home appliance customers. As part of our ongoing efforts to strengthen that value, we are conducting a pilot program to offer promotions and curated advertisements on certain Samsung Family Hub refrigerator models in the U.S. market.

If you are not familiar, the Samsung Family Hub lineup is a series of premium refrigerators that feature massive touchscreens. These displays can go up to 32 inches on some models. The fridges have features like AI Vision, which recognizes what is inside your appliance. You can also view the contents from anywhere with your smartphone, so you know when you are out of milk. These are expensive machines that can cost well over $3,000.

The good news is that Samsung promises that a dismissed ad will not appear again. Of course, this does not mean new ads will not take their place.

The Cover Screen appears when a Family Hub screen is idle. Ad design format may change depending on Family Hub personalization options for the Cover Screen, and advertising will not appear when Cover Screen displays Art Mode or picture albums. Advertisements can be dismissed on the Cover Screens where ads are shown, meaning that specific ads will not appear again during the campaign period.

The company did not say whether this program will expand to other regions or models. So, it is quite possible for this "feature" to become standard across more of its expensive smart appliances down the line.

If you are affected by this and want to get rid of the ads, one user suggested that you could wildcard block samsungiotcloud.com on your network. This may stop the fridge from communicating with the servers that deliver the ads. If that works for you, there is a significant catch: angrycatmeowmeow confirmed that blocking that domain seems to break the internal camera.

Speaking of ad blocking, Google recently provided a new reason to discourage users from blocking ads on YouTube, claiming that ad blockers interfere with view counts. The company suggests that channels may see their traffic metrics fluctuate if a large portion of their audience uses these tools.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 19 September 2025 at 4:42 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

For example, earlier this year, Neowin noticed how having an ad blocker on meant that certain affected users were not able to proceed with playing the videos they were trying to watch. And last year in 2024, it was reported that Google was testing unblockable server-side ads on the video platform. Later that same year, the tech giant was also accused of shenanigans regarding the "skip ad" button.

To be fair to Google, there have been instances where bugs in ad-blocking scripts have led to issues on YouTube. And according to a new support article published by it this week, it looks like ad blockers are also impacting the YouTube view counter as Google has blamed content blockers, among other things, as the culprit behind the reduced hits on various videos from different creators.

The company says the ad blockers make view count metrics inaccurate thus leading to bigger fluctuations in the traffic. It writes:

Viewers Using Ad Blockers & Other Content Blocking Tools: Ad blockers and other extensions can impact the accuracy of reported view counts. Channels whose audiences include a higher proportion of users utilizing such tools may see more fluctuations in traffic related to updates to these tools.

With this message, Google likely hopes that creators themselves will begin to encourage their viewers to disable content blockers.

While the reason cited by Google for reduced hits is certainly plausible, it is also noteworthy that with the rise of AI chatbots and AI scrapers, people may simply not be watching a video to get the information they wish to have.

AI summaries are getting popular and Neowin too has seen greatly reduced human traffic over the last year or so since AI search began to be more relevant and popular. Google however claims the opposite.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 19 September 2025 at 4:35 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

While it didn't specifically say whether this security flaw is still being actively abused in the wild, the company warned that it has a public exploit, a common indicator of active exploitation.

"Google is aware that an exploit for CVE-2025-10585 exists in the wild," Google warned in a security advisory published on Wednesday.

This high-severity zero-day vulnerability is caused by a type confusion weakness in the web browser's V8 JavaScript engine, reported by Google's Threat Analysis Group on Tuesday.

Google TAG frequently flags zero-days exploited by government-sponsored threat actors in targeted spyware campaigns targeting high-risk individuals, including but not limited to opposition politicians, dissidents, and journalists.

The company mitigated the security issue one day later with the release of 140.0.7339.185/.186 for Windows/Mac, and 140.0.7339.185 for Linux, versions that will roll out to the Stable Desktop channel over the coming weeks.

While Chrome automatically updates when new security patches are available, you can speed up the process by going to the Chrome menu > Help > About Google Chrome, allowing the update to finish, and then clicking the 'Relaunch' button to install it immediately.

Although Google has already confirmed that CVE-2025-10585 was used in attacks, it still has to share additional details regarding in-the-wild exploitation.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said. "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed."

This is the sixth actively exploited Chrome zero-day fixed by Google this year, with five more patched in March, May, June, and July.

In July, it addressed another actively exploited zero-day (CVE-2025-6558) reported by Google TAG researchers, which allowed attackers to escape the browser's sandbox protection.

Google released additional emergency security updates in May to address a Chrome zero-day (CVE-2025-4664) that let attackers hijack accounts, and fixed an out-of-bounds read and write weakness (CVE-2025-5419) in Chrome's V8 JavaScript engine discovered by Google TAG in June.

In March, it also patched a high-severity sandbox escape flaw (CVE-2025-2783) reported by Kaspersky, which was used in espionage attacks against Russian government organizations and media outlets.

Last year, Google patched 10 more zero-day bugs that were either demoed during Pwn2Own hacking competitions or exploited in attacks.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 19 September 2025 at 4:33 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

Amazon is opening the door to even more AI ads by offering sellers access to a new chatbot that can generate promos with a simple text prompt. With the new tool, Amazon sellers can describe the type of ad they’d like to see, and the AI chatbot will draw from a seller’s brand guidelines, product pages, and other store details to generate a concept, whether it’s for a static advertisement or a video ad.

An example shared by Amazon shows how sellers can go from asking the AI chatbot to create taglines and images for a product, to having it write a script, add music, generate a voiceover, and lay out a storyboard. “This tool reduces the time and cost of designing creative ads, encouraging advertisers to explore and experiment rapidly,” Amazon writes. The ads can appear on Amazon’s online marketplace and across its other properties like Prime Video, the Kindle, and even Twitch.

Amazon’s AI chatbot can generate a storyboard and more.

Image: Amazon

 

The tool is similar to the AI chatbot-style interface that advertisers on TikTok can use to generate video ads.. It also builds on Amazon’s existing AI tools, which already let sellers generate AI videos showcasing their products. Amazon says its AI chatbot is still in beta and runs Amazon’s Nova AI model, as well as Anthropic’s Claude.

Amazon is adding new “agentic” capabilities to its AI-powered seller assistant as well, allowing it to monitor inventory levels and provide information about how a seller can “optimize” their business by flagging items that are slow to sell or suggesting price changes. The seller assistant can now scan a seller’s account for product listings that may violate new product safety policies, too, in addition to suggesting new types of products to sell based on customer behavior.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 18 September 2025 at 4:34 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

In early September 2025, in coordination with Cloudflare's Cloudforce One and Trust and Safety teams, Microsoft's Digital Crimes Unit (DCU) disrupted the cybercrime operation by seizing 338 websites and Worker accounts linked to RaccoonO365.

The cybercrime group behind this service (also tracked by Microsoft as Storm-2246) has stolen at least 5,000 Microsoft credentials from 94 countries since at least July 2024, using RaccoonO365 phishing kits that bundled CAPTCHA pages and anti-bot techniques to appear legitimate and evade analysis.

For instance, a large-scale RaccoonO365 tax-themed phishing campaign targeted over 2,300 organizations in the United States in April 2025, but these phishing kits have also been deployed in attacks against more than 20 U.S. healthcare organizations.

The credentials, cookies, and other data stolen from victims' OneDrive, SharePoint, and email accounts were later employed in financial fraud attempts, extortion attacks, or as initial access to other victims' systems.

"This puts public safety at risk, as RaccoonO365 phishing emails are often a precursor to malware and ransomware, which have severe consequences for hospitals," said Steven Masada, Assistant General Counsel for Microsoft's Digital Crimes Unit.

"In these attacks, patient services are delayed, critical care is postponed or canceled, lab results are compromised, and sensitive data is breached, causing major financial losses and directly impacting patients."

RaccoonO365 has been renting subscription-based phishing kits through a private Telegram channel, which had over 840 members as of August 25, 2025. The prices ranged from $355 for a 30-day plan to $999 for a 90-day subscription, all paid in USDT (TRC20, BEP20, Polygon) or Bitcoin (BTC) cryptocurrency.

Microsoft estimated that the group has received at least $100,000 in cryptocurrency payments so far, suggesting there are approximately 100 to 200 subscriptions; however, the actual number of subscriptions sold is likely much higher.

During its investigation, the Microsoft DCU also found that the leader of RaccoonO365 is Joshua Ogundipe, who lives in Nigeria.

Cloudflare also believes that RaccoonO365 also collaborates with Russian-speaking cybercriminals, given the use of Russian in its Telegram bot's name.

"Based on Microsoft's analysis, Ogundipe has a background in computer programming and is believed to have authored the majority of the code," Masada added.

"An operational security lapse by the threat actors in which they inadvertently revealed a secret cryptocurrency wallet helped the DCU's attribution and understanding of their operations. A criminal referral for Ogundipe has been sent to international law enforcement."

In May, Microsoft also seized 2,300 domains in a coordinated disruption action targeting the Lumma malware-as-a-service (MaaS) information stealer.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 18 September 2025 at 4:33 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

This security update completely went under my radar because I was focusing on iOS 26 and didn't check Apple's security releases page. Speaking of which iOS 26, iPadOS 26, macOS Tahoe 26 all ship with a bunch of new security fixes.

Anyway, let's get back to the update for older devices, the vulnerability in question is tracked under CVE-2025-43300. What's interesting about this is that it is the same as the one I wrote about last month. Apple patched a zero-day threat in iOS, iPadOS and macOS on August 20, with the release of iOS 18.6.2, iPadOS 18.6.2, and macOS Sequoia 15.6.1, macOS Sonoma 14.7.8 and macOS Ventura 13.7.8.

Bleeping Computer spotted some security advisories on Apple's website that highlighted the release of iOS 15.8.5, iPadOS 15.8.5, iOS 16.7.12 and iPadOS 16.7.12 to patch the vulnerability. Here's a brief description of the issue, processing a malicious image file may result in memory corruption. For instance, a photo with spyware code could lead to a targeted attack. Apple says it patched an out-of-bounds write issue with improved bounds checking. The release notes mentions that "Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals." As I said, that is a sophisticated mercenary spyware attack targeting individuals like journalists, activists, etc.

The iOS 16.7.12 update is available for the Phone 8, iPhone 8 Plus, and iPhone X, while the iOS 15.8.5 update is available for iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), and iPod touch (7th generation). iPadOS 16.7.12 is available for the iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation, while iPadOS 15.8.5 is available for the iPad Air 2, iPad Mini (4th generation).

It's good to see Apple patching security issues on devices that are nearly ten years old, the iPhone 7 was launched in 2016. Earlier this month, WhatsApp fixed a zero-click vulnerability in iOS and macOS that was used in similar attacks.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 18 September 2025 at 4:33 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

Microsoft introduced Secure Boot in 2011 as a new method to ensure your computer boots using verified firmware and a trusted bootloader. Years later, Secure Boot became one of Windows 11's hardware requirements alongside Trusted Platform Module as part of Microsoft's push to make devices more secure.

The first Secure Boot certificates are valid for 15 years, and they are about to expire in June 2026. Expired certificates are a big deal because, without them, Windows cannot apply certain updates, which leaves your system vulnerable to BootKits and other malware.

Updating certificates is not something your average Joe does on a regular basis. As such, Microsoft prepared a detailed FAQ section where it answered all the possible questions about expired certificates and what to do with them. If you own a regular home PC that gets updates via Windows Update, there is pretty much nothing to worry about, as Microsoft will make all the necessary updates in the background (another reason why you should not disable Windows Updates for long periods).

If you are on Windows 10 and you do not plan to upgrade to Windows 11, enrolling in the Extended Security Updates program is a must to get updated certificates. The only exception is supported Windows 10 LTSC/LTSB releases, which will continue receiving security updates past October 14, 2025. Microsoft makes it clear that unsupported Windows versions will not get new Secure Boot certificates.

The new FAQ section also addresses the question about upgrading Windows 10 LTSC to Windows 11 LTSC with Secure Boot turned off and an expired certificate. Microsoft explains that such devices will not receive new certificates, and users will have to "follow specific migration steps relevant at that time" to ensure their systems have the 2023 certificates.

There is another important area that the FAQ document explains, which is about PCs that cannot boot after resetting the firmware. Microsoft explains that systems that already use a boot manager with the 2023 certificates will stop booting if users reset firmware to defaults that do not include the Windows UEFI CA 2023 certificate. This can be mitigated by reapplying the certificate using a recovery USB (explained in detail in this document).

You can read all the questions and answers about expiring Secure Boot certificates in the official document here.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 17 September 2025 at 4:41 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

Jaguar Land Rover’s dealers and suppliers fear the British carmaker’s operations will take another few months to normalize after a cyber attack that experts estimate could wipe more than £3.5 billion off its revenue.

JLR, which is owned by India’s Tata Motors, had been forced to shut down its systems and halt production across its UK factories since August 31, wreaking havoc across the country’s vast supply chain involving roughly 200,000 workers.

JLR on Tuesday said it would extend its production halt until at least next Wednesday as it continued its investigation. In a statement, the company also cautioned that “the controlled restart of our global operations… will take time.”

If JLR cannot produce vehicles until November, David Bailey, professor at University of Birmingham, estimated that the group would suffer a revenue hit of more than £3.5 billion while it would lose about £250 million in profits, or about £72 million in revenue and £5 million in profits on a daily basis.

With annual revenues of £29 billion in 2024, JLR will be able to absorb the financial costs but Bailey warned the consequences would be bigger for the smaller sized companies in its supply chain. JLR declined to comment.

The cyber attack comes at a crucial period for the UK carmaker when it is going through a controversial rebranding of its Jaguar brand and an expensive shift to all-electric vehicles by the end of the decade. Even before the latest incident, people briefed on the matter have said the company was facing delays with launching its new electric models.

“They are clearly in chaos,” said one industry executive who works closely with JLR, while another warned that “no one actually knows” when production would resume.

“If there is a major financial hit, the CEO will look for significant cost savings to try and recover some of that, so that could hit both the production base in the UK but also its product development,” said Bailey.

According to people close to the industry, JLR has been helped by an ample inventory of JLR vehicles before the incident, meaning car sales were unaffected after production halted. The company is still able to sell new cars and register them manually.

According to online marketplace Auto Trader, JLR took the top slot on its new car platform in August and is vying for a similar position in September with almost a million ad views in the two months.

“Despite the well documented issues with the much-loved British brand at the moment, not only is there plenty of stock available but it’s also drawing in the largest audiences in relation to its competitors,” said Ian Plummer, chief commercial officer at Auto Trader.

Nevertheless, an immediate challenge for retailers has been their ability to source parts for car repairs. JLR has tried to secure additional supplies in response.

The company is also asking UK government officials to provide emergency support for its suppliers to get through this period, according to people close to the talks.

While JLR has not provided information on who is responsible for the attack, a hacker calling himself “Rey” has claimed to have infiltrated the carmaker’s systems for the second time in just six months.

Cyber experts say they believe “Rey” is the same individual previously linked to the hacker group Hellcat, which claimed to have breached JLR in March and to have stolen confidential data. JLR declined to comment on the previous incident in March.

The organization, which uses the same tactics as the “Scattered Spider” collective linked to the high-profile attacks on retailers, including M&S, has previously declared to have attacked companies such as telecoms group Telefónica.

The cyber attack at M&S in April forced the retailer to suspend online clothing and homeware sales for seven weeks—a disruption expected to cost up to £300 million in operating profits this year.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 17 September 2025 at 4:39 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

Microsoft is expanding interoperability and data portability resources. It will maintain the existing add-in model for third-party communication and collaboration providers and the AppSource marketplace will remain a distribution channel for these add-ins. The add-in model allows third-party solutions to integrate with Microsoft 365 and Teams in the same way as other software development companies that provide add-ins to Microsoft 365 and Teams.

In addition, Microsoft will continue to enable other solution providers to embed Office Web Applications within their own solutions through the Microsoft Document Collaboration Partner Program to better serve shared customers.

Microsoft said that the changes are explicitly aimed at enhancing flexibility, supporting open ecosystems, and providing customers with more options. The Redmond giant described partners as trusted advisors who deliver business outcomes and that the overall goal is to drive real impact for customers across their journey with their services and solutions.

Source: Microsoft

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Sunday 14 September 2025 at 5:02 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

Plex has also assured that account passwords that may have been accessed by this breach were securely hashed, so were not read in plaintext by the threat actor.

Regardless, the firm has shared details for its customers on how to handle the situation which includes resetting the sign-in password. In addition, it has also recommended that users enable two-factor authentication (2FA), if it isn't already, to further enhance their account's cybersecurity posture. It writes:

If you use a password to sign into Plex: We kindly request that you reset your Plex account password immediately by visiting https://plex.tv/reset. When doing so, there’s a checkbox to “Sign out connected devices after password change,” which we recommend you enable. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in with your new password.

 

If you use SSO to sign into Plex: We kindly request that you log out of all active sessions by visiting https://plex.tv/security and clicking the button that says ”Sign out of all devices”. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in as normal.

 

We remind you that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven’t already done so.

Finally, the company has shared a support article at this link which walks users through the steps one by one on how to reset their account password.

The company has already been sending out emails to users, but even if you have not received one, it is best advised that you reset your password just to be on the safe side.

Some users are also finding that their libraries after the password reset shows up as empty, in which case, you will need to reclaim the server or try the login process a few more times (via Reddit).

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 10 September 2025 at 3:57 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

In a data breach notification seen by BleepingComputer, Plex says the stolen data includes email addresses, usernames, securely hashed passwords, and authentication data.

"An unauthorized third party accessed a limited subset of customer data from one of our databases," reads the Plex data breach notification.

"While we quickly contained the incident, information that was accessed included emails, usernames, and securely hashed passwords."

"Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party."

Plex has not shared what hashing algorithm was used, raising the possibility that attackers could attempt to crack the passwords.

Therefore, Plex recommends that users, out of an "abundance of caution," reset their password at https://plex.tv/reset and also enable the "Sign out connected devices after password change" option when doing so.

This will reset your password and log out any existing connections utilizing your own credentials. However, this will also require you to log in again on any devices using those credentials.

For those using SSO to log in to Plex, the company recommends you log out of all active sessions by visiting https://plex.tv/security and clicking the button that says" Sign out of all devices".  Once again, you will need to log back into devices using your credentials.

The company is also reminding users to enable two-factor authentication for added protection and stresses that it will never ask for passwords or credit card details over email.

Plex says no payment card information was included in the breach, as it's not stored on its server.

The company says it has addressed the method used to breach its server, but did not share any further technical details about the attack.

BleepingComputer contacted Plex with questions about the breach and will update the article if we hear back.

This is not the first time Plex users have been forced to reset their passwords due to a data breach.

In August 2022, Plex suffered an almost identical data breach, with authentication data and hashed passwords exposed in the attack.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 9 September 2025 at 1:58 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

Josh Junon (qix), the package maintainer whose accounts were hijacked in this supply-chain attack, confirmed the incident earlier today, stating that he was aware of the compromise and adding that the phishing email came from support [at] npmjs [dot] help, a domain that hosts a website impersonating the legitimate npmjs.com domain.

In the emails, the attackers threatened that the targeted maintainers' accounts would be locked on September 10th, 2025, as a scare tactic to get them to click on the link redirecting them to the phishing sites.

"As part of our ongoing commitment to account security, we are requesting that all users update their Two-Factor Authentication (2FA) credentials. Our records indicate that it has been over 12 months since your last 2FA update," the phishing email reads.

"To maintain the security and integrity of your account, we kindly ask that you complete this update at your earliest convenience. Please note that accounts with outdated 2FA credentials will be temporarily locked starting September 10, 2025, to prevent unauthorized access."

The attackers targeted other package maintainers and developers using the same email, according to reports from those who received the phishing message.

BleepingComputer found that the npmjs[.]help page also includes a login form that will exfiltrate inputted credentials to the following URL:

https://websocket-api2[.]publicvm.com/images/jpg-to-png.php?name=[name]&pass=[password]

Since the incident was detected, the NPM team has removed some of the malicious versions published by the attackers, including the one for the debug package, which is downloaded 357.6 million times per week.

The supply chain attack

According to Aikido Security, which analyzed the supply-chain attack, the threat actors updated the packages after taking over control, injecting malicious code that acts as a browser-based interceptor into the index.js files, capable of hijacking network traffic and application APIs.

The malicious code only impacts individuals accessing the compromised applications over the web, monitoring for cryptocurrency addresses and transactions that are then redirected to attacker-controlled wallet addresses. This causes the transaction to be hijacked by the attackers rather than being sent to the intended address.

The malware operates by injecting itself into the web browser, monitoring Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash wallet addresses or transfers. On network responses with crypto transactions, it replaces the destinations with attacker-controlled addresses and hijacks transactions before they're signed.

Aikido says the malicious code does this by hooking JavaScript functions like fetch, XMLHttpRequest, and wallet APIs (window.ethereum, Solana, etc.).

The packages hijacked so far collectively have over 2.6 billion downloads every week:

• backslash (0.26m downloads per week)
• chalk-template (3.9m downloads per week)
• supports-hyperlinks (19.2m downloads per week)
• has-ansi (12.1m downloads per week)
• simple-swizzle (26.26m downloads per week)
• color-string (27.48m downloads per week)
• error-ex (47.17m downloads per week)
• color-name (191.71m downloads per week)
• is-arrayish (73.8m downloads per week)
• slice-ansi (59.8m downloads per week)
• color-convert (193.5m downloads per week)
• wrap-ansi (197.99m downloads per week)
• ansi-regex (243.64m downloads per week)
• supports-color (287.1m downloads per week)
• strip-ansi (261.17m downloads per week)
• chalk (299.99m downloads per week)
• debug (357.6m downloads per week)
• ansi-styles (371.41m downloads per week)

"The packages were updated to contain a piece of code that would be executed on the client of a website, which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user," Aikido Security researcher Charlie Eriksen said.

"What makes it dangerous is that it operates at multiple layers: altering content shown on websites, tampering with API calls, and manipulating what users' apps believe they are signing."

While this is a supply chain attack, Andrew MacPherson, Principal Security Engineer at Privy, told BleepingComputer that there are specific criteria that must be met for an app to have been affected, which significantly decreases the impact. This includes:

• A fresh install between ~9 AM and ~11.30 AM ET, when the packages were compromised
• Package-lock.json was created during that time
• Vulnerable packages in direct or transient dependencies

This supply-chain attack follows a series of similar attacks targeting developers of various well-known JavaScript libraries over the past few months.

For instance, in July, attackers compromised eslint-config-prettier, a package with over 30 million weekly downloads, while in March, ten other widely used npm libraries were hijacked and turned into info-stealers.

Both the phishing attack and the injected malware illustrate how the web browser has become a massive attack surface for stealing credentials, modifying traffic, and breaching networks.

BleepingComputer has a webinar later this month titled "Your Browser Is the Breach: Securing the Modern Web Edge" that focuses on recent browser attacks and how to defend this attack surface.

Update: Revised the lede as the attack is not as impactful as initially thought.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 9 September 2025 at 1:57 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

With this change, any material that encourages or assists serious self-harm will be classified as a priority offense that needs to be addressed to protect children and adults. The new regulations are expected to be laid out in the autumn and will come into force 21 days after being approved.

Under the new rules, tech firms will be legally required to hunt down and remove self-harm material using “cutting-edge technology” to see out self-harm content before it can reach users. This shift is designed to change moderation from a reactive approach to a proactive one, compelling companies to prevent harm, not just respond to it. The Technology Secretary Liz Kendall said that these new requirements are “not an option, but the law.”

It’s not just the government that’s eager to introduce the new rules. The Chief Executive of the Samaritans, Julie Bentley, welcomed the new measures. The Samaritans view the changes as a positive step that can ensure the Online Safety Act goes further to protect both adults and children. Bentley said that while the internet can offer support for people who are struggling, it can also be used to find self-harm content that can be fatal.

With this change, the government is responding to the consequences that self-harm content has had time and time again, which can “destroy lives and tear families apart.” For adults, the new rules are intended to prevent content that could trigger a mental health crisis or worse. The government said that the regulations will be brought into force as a Statutory Instrument (SI) and require approval by both Houses of Parliament. The rules will come into force 21 days after implementation.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 9 September 2025 at 3:08 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

According to a post-incident evaluation by Wiz researchers, the Nx compromise has resulted in the exposure of 2,180 accounts and 7,200 repositories across three distinct phases.

Wiz also stressed that the incident's scope of impact remains significant, as many of the leaked secrets remain valid, and so the effect is still unfolding.

The Nx "s1ngularity" supply chain attack

Nx is a popular open-source build system and monorepo management tool, widely used in enterprise-scale JavaScript/TypeScript ecosystems, having over 5.5 million weekly downloads on the NPM package index.

On August 26, 2025, attackers exploited a flawed GitHub Actions workflow in the Nx repository to publish a malicious version of the package on NPM, which included a post-install malware script ('telemetry.js').

The telemetry.js malware is a credential stealer targeting Linux and macOS systems, which attempted to steal GitHub tokens, npm tokens, SSH keys, .env files, crypto wallets, and upload the secrets to public GitHub repositories named "s1ngularity-repository."

What made this attack stand out was that the credential-stealer to used installed command-line tools for artificial intelligence platforms, such as Claude, Q, and Gemini, to search for and harvest sensitive credentials and secrets using LLM prompts.

Wiz reports that the prompt changed over each iteration of the attack, showing that the threat actor was tuning the prompt for better success.

"The evolution of the prompt shows the attacker exploring prompt tuning rapidly throughout the attack. We can see the introduction of role-prompting, as well as varying levels of specificity on techniques," explained Wiz.

"These changes had a concrete impact on the success of the malware. The introduction of the phrase “penetration testing”, for example, was concretely reflected in LLM refusals to engage in such activity."

A massive blast radius

In the first phase of the attack, between August 26 and 27, the backdoored Nx packages directly impacted 1,700 users, leaking over 2,000 unique secrets. The attack also exposed 20,000 files from infected systems.

GitHub responded by taking down the repositories the attacker created after eight hours, but the data had already been copied.

Between August 28 and 29, which Wiz defines as phase 2 of the incident, the attackers used the leaked GitHub tokens to flip private repositories to public, renaming them to include the 's1ngularity' string.

This has resulted in the further compromise of another 480 accounts, the majority of which were organizations, and the public exposure of 6,700 private repositories.

In the third phase, which began on August 31, the attackers targeted a single victim organization, utilizing two compromised accounts to publish an additional 500 private repositories.

Nx's response

The Nx team published a detailed root cause analysis on GitHub explaining that the compromise came from a pull request title injection combined with the insecure use of pull_request_target.

This allowed the attackers to run arbitrary code with elevated permissions, which in turn triggered Nx's publish pipeline and exfiltrated the npm publishing token.

The malicious packages were removed, the compromised tokens were revoked and rotated, and two-factor authentication has been adopted across all publisher accounts.

To prevent a recurrence of such a compromise, the Nx project has now adopted NPM's Trusted Publisher model, which eliminates token-based publishing, and added manual approval for PR-triggered workflows.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Sunday 7 September 2025 at 2:16 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

Experienced Internet users may detect most phishing emails immediately. One look at the sender's email address or the content of the email, and they know whether it is legitimate or not. Yes, a deep dive into the mail headers is usually the better option to determine whether an email is real or fake, but often, that is not necessary. If you get a claim from a company that you do not do business with, you can almost be certain that the email that you received is not legitimate.

Decade-old best practices against phishing still reign supreme. Do not click on links, do not use information to call someone, send them a message, or open a website listed in the phishing email. Bad grammar or spelling used to be a good indicator, but the increased use of AI by threat actors is eliminating most of that in emails.

If you are unsure, you may also hover with the mouse over links in phishing emails. At least on desktop systems, you see the link target. Often, it is a destination that has nothing to do with the entity the email supposedly came from. Even if an URL shortener is used or a new strategy is implemented, like showing mailto links instead of web links, it should ring the alarm bells loud and clear immediately.

On mobile, you may be able to long-press on links to display a context menu with options or information. There is still the risk of accidentally opening a link that you want to check though.

The following email, for example, has quite a few red flags. The sender claims that the recipient has to pay customs duties for a parcel transported by DHL.

Apart from the sender's email, it is the link that provides you with additional information. It screams fake, and if you used DHL before, you know that the company does not use the t.co URL shortening service.

Hovering over links may give help you distinguish fake emails from real ones. I still recommend that you open links manually only. If you get an email from your bank, a shopping site, or any other service or site that you use, you could still open it manually in your browser instead of clicking on a link, if you believe that there is a high chance that the email is legitimate.

Now You: How do you handle the threat of phishing? Do you use specialized security tools to protect against phishing attacks? Feel free to leave a comment down below.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 6 September 2025 at 3:34 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

As reported by Bleeping Computer, Chess.com has sent notifications to some customers informing them that the service was indirectly impacted in a data breach that affected a third-party file transfer app that was used by the platform. This incident occurred between June 5 and June 18 this year, with the company finding out about the breach on June 19.

Chess.com immediately notified relevant law enforcement authorities and solicited security experts to assess the scope of the breach and contain it. It was successful in this process, but the data of almost 4,500 users was exposed. This likely included personally identifiable information (PII), but no financial data was accessed.

On a platform boasting 100 million users, 4,500 may sound like a small figure since it only encompasses 0.0045% of its customers. However, the service is still giving impacted customers a couple of years of identity theft and credit monitoring services. Those affected have until December 3, 2025, to enroll in the complimentary services. Chess.com has emphasized that only the third-party file transfer app it used was impacted; its own infrastructure remains robust and unaffected. It's unclear which app was breached, but it's encouraging for now that the stolen data has not been spotted online or identified as being misused by malicious actors.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 6 September 2025 at 3:33 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

Google was also ordered by the EU's top antitrust regulator to stop anti-competitive and "self-preferencing" practices and take measures to mitigate future conflicts of interest in the adtech market.

Lee-Anne Mulholland, Google's Global Head of Regulatory Affairs, told BleepingComputer that the antitrust regulator's decision was wrong and that the company will appeal it.

"The European Commission's decision about our ad tech services is wrong and we will appeal. It imposes an unjustified fine and requires changes that will hurt thousands of European businesses by making it harder for them to make money," Mulholland said.

"There's nothing anticompetitive in providing services for ad buyers and sellers, and there are more alternatives to our services than ever before."

This follows the Commission's notification to Google in June 2023 of a preliminary finding that its abusive practices in online advertising technology violated the European Union's antitrust rules concerning adtech operations. At the time, Google stated that the Commission's case "rests on flawed interpretations of the ad tech sector."

This is the fourth time the European Commission has fined Google for abusing its market dominance. In March 2019, the Commission fined Google €1.49 billion ($1.7 billion) for blocking rival advertising companies from displaying search ads on publisher search results pages.

In July 2018, Google was fined €2.42 billion ($2.72 billion) for preventing other companies from competing in the online search and comparison shopping market by abusing its search engine dominance.

One year earlier, in June 2017, the EU's competition watchdog imposed a record €4.34 billion ($5.04 billion) fine on Google "for illegal practices regarding Android mobile devices to strengthen the dominance of Google's search engine."

On Wednesday, the National Commission on Informatics and Liberty (CNIL), France's data protection authority, also fined Google €325 million ($378 million) for displaying ads between Gmail users' emails without their consent and violating cookie regulations.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 6 September 2025 at 3:30 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

The zero-day vulnerability was discovered by independent threat researcher Mehrun (ByteRay), who noted that he first reported it to TP-Link on May 11, 2024.

The Chinese networking equipment giant confirmed to BleepingComputer that it is currently investigating the exploitability and exposure of the flaw.

Though a patch is reportedly already developed for European models, work is underway to develop fixes for U.S. and global firmware versions, with no specific date estimates given.

“TP-Link is aware of the recently disclosed vulnerability affecting certain router models, as reported by ByteRay,” reads the statement TP-Link Systems Inc. sent to BleepingComputer.

“We take these findings seriously and have already developed a patch for impacted European models. Work is currently underway to adapt and expedite updates for U.S. and other global versions.”

“Our technical team is also reviewing the reported findings in detail to confirm device exposure criteria and deployment conditions, including whether CWMP is enabled by default.”

“We strongly encourage all users to keep their devices updated with the latest firmware as it becomes available via our official support channels.”

The vulnerability, which doesn’t have a CVE-ID assigned to it yet, is a stack-based buffer overflow in TP-Link’s CWMP (CPE WAN Management Protocol) implementation on an unknown number of routers.

Researcher Mehrun, who found the flaw through automated taint analysis of router binaries, explains that it lies in a function that handles SOAP SetParameterValues messages.

The problem is caused by a lack of bounds checking in ‘strncpy’ calls, making it possible to achieve remote code execution via buffer overflow when the stack buffer size is above 3072 bytes.

Mehrun says a realistic attack would be to redirect vulnerable devices to a malicious CWMP server and then deliver the oversized SOAP payload to trigger the buffer overflow.

This is achievable by exploiting flaws in outdated firmware or accessing the device by using default credentials that the users haven’t changed.

Once compromised via RCE, the router can be instructed to reroute DNS queries to malicious servers, silently intercept or manipulate unencrypted traffic, and inject malicious payloads into web sessions.

The researcher confirmed through testing that TP-Link Archer AX10 and Archer AX1500 use vulnerable CWMP binaries. Both are highly popular router models that are currently available for sale in multiple markets.

Mehrun also noted that EX141, Archer VR400, TD-W9970, and possibly several other router models from TP-Link are potentially affected.

Until TP-Link determines which devices are vulnerable and releases fixes for them, users should change default admin passwords, disable CWMP if not needed, and apply the latest firmware update for their device. If possible, segment the router from critical networks.

CISA warns of exploited TP-Link flaws

Yesterday, CISA added two other TP-Link flaws, tracked CVE-2023-50224 and CVE-2025-9377, to the Known Exploited Vulnerability catalog that the Quad7 botnet has exploited to compromise routers.

CVE-2023-50224 is an authentication bypass flaw, and CVE-2025-9377 is a command injection flaw. When chained together, they allow threat actors to gain remote code execution on vulnerable TP-Link devices.

Since 2023, the Quad7 botnet has been exploiting the flaws to install custom malware on routers that convert them into proxies and traffic relays.

Chinese threat actors have been using these compromised routers to proxy, or relay, malicious attacks while blending in with legitimate traffic to evade detection.

In 2024, Microsoft observed threat actors using the botnet to perform password spray attacks on cloud services and Microsoft 365, aiming to steal credentials.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 5 September 2025 at 3:20 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

People in Internet security circles are sounding the alarm over the issuance of three TLS certificates for 1.1.1.1, a widely used DNS service from content delivery network Cloudflare and the Asia Pacific Network Information Centre (APNIC) Internet registry.

The certificates, issued in May, can be used to decrypt domain lookup queries encrypted through DNS over HTTPS or DNS over TLS. Both protocols provide end-to-end encryption when end-user devices seek the IP address of a particular domain they want to access. Two of the certificates remained valid at the time this post went live on Ars.

Investigation underway

Although the certificates were issued four months ago, their existence came to public notice only on Wednesday in a post to an online discussion forum. They were issued by Fina RDC 2020, a certificate authority that’s subordinate to the root certificate holder Fina Root CA. The Fina Root CA, in turn, is trusted by the Microsoft Root Certificate Program, which governs which certificates are trusted by the Windows operating system. Microsoft Edge accounts for approximately 5 percent of the browsers actively used on the Internet.

In an emailed statement sent several hours after this post went live, Cloudflare officials confirmed the certificates were improperly issued. They wrote in part:

Cloudflare did not authorize Fina to issue these certificates. Upon seeing the report on the certificate-transparency email list, we immediately kicked off an investigation and reached out to Fina, Microsoft, and Fina’s TSP supervisory body – who can mitigate the issue by revoking trust in Fina or the mis-issued certificates. At this time, we have not yet heard back from Fina.

The statement went on to say that data encrypted through Cloudflare's WARP VPN isn't affected.

Microsoft said in an email that it has “engaged the certificate authority to request immediate action. We’re also taking steps to block the affected certificates through our disallowed list to help keep customers protected.” The statement didn't say how the company failed to identify the improperly issued certificate for such a long period of time.

Representatives from Google and Mozilla said in emails that their Chrome and Firefox browsers have never trusted the certificates, and there was no need for users to take any action. An Apple representative responded to an email with this link to a list of certificate authorities Safari trusts. Fina was not included.

It wasn't immediately known which organization or person requested and obtained the credentials. Representatives from Fina, didn’t answer emails seeking details.

The certificates are a key part of the Transport Layer Security protocol. They bind a specific domain to a public key. The certificate authority, the entity authorized to issue browser-trusted certificates, possesses the private key certifying that the certificate is valid. Anyone in possession of a TLS certificate can cryptographically impersonate the domain for which it was issued.

The holder of the 1.1.1.1 certificates could potentially use them in active adversary-in-the-middle attacks that intercept communications passing between end users and the Cloudflare DNS service, Ryan Hurst, CEO of Peculiar Ventures and a TLS and public key infrastructure expert, told Ars.

From there, attackers with possession of the 1.1.1.1 certificates could decrypt, view, and tamper with traffic from the Cloudflare DNS service, Hurst said.

Castles made of sand

Wednesday’s discovery exposes a key weakness of the public key infrastructure that’s responsible for ensuring trust of the entire Internet. Despite being the only thing ensuring that gmail.com, bankofamerica.com or any other website is controlled by the entity claiming ownership, the entire system can collapse with a single point of failure.

Cloudflare's statement observed:

The CA ecosystem is a castle with many doors: the failure of one CA can cause the security of the whole castle to be compromised. CA misbehavior, whether intentional or not, poses a persistent and significant concern for Cloudflare. From the start, Cloudflare has helped develop and run Certificate Transparency that has allowed this mis-issuance to come to light.

The incident also reflects poorly on Microsoft for failing to proactively catch the mis-issued certificates and allowing Windows to trust them for such a long period of time. Certificate Transparency, a site that catalogues in real time the issuance of all browser-trusted certificates, can be searched automatically. The entire purpose of the logs is so stakeholders can quickly identify mis-issued certificates before they can be actively used. The mis-issuance in this case is easy to spot because the IP addresses used to confirm the party applying for the certificates had control of the domain was 1.1.1.1 itself.

The public discovery of the certificates four months after the fact suggests the transparency logs didn’t receive the attention they were intended to get. It's unclear how so many different parties could miss the certificates for such a long time span.

This story was updated to correct an explanation of TLS certificates and to report newly available details.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 4 September 2025 at 2:59 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

Passwords suck. They're hard to remember, but worse is playing the ever-evolving game of cybersecurity whack-a-mole with your most important accounts. That’s where passkeys come into play. The so-called “war on passwords” has taken off over the past two years, with titans like Google, Microsoft, and Apple pushing for a password-less future that the FIDO Alliance (a consortium made to “help reduce the world’s over-reliance on passwords”) has been trying to realize for over a decade.

Like it or not, you’ll be prompted to create a passkey at some point, and you likely already have. That’s a good thing, as passkeys aren’t only much easier to use than a traditional password, they’re also a lot safer. Here's everything you need to know about using them.

Passkeys offer a way of confirming you are who you say you are without remembering a long, complicated password, and in a manner that's resistant to common attacks on passwords like phishing and dictionary attacks.

“Passkeys are built to replace passwords and outdated forms of two-factor authentication entirely,” Andrew Shikiar, executive director and CEO of the FIDO Alliance, tells WIRED. They represent a rare step forward in cybersecurity; one that’s not only easier to use than previous methods but also safer.

eBay via Jacob Roach

 

Conceptually, passkeys can come in many forms, but you’ll most commonly interact with them on a device you own. For example, imagine you want to sign in to your Google Account on a new device. Instead of entering a password, a passkey allows you to log in to your account with a device you’ve already verified. You can use your phone as a passkey, which instantly grants access to your Google Account without ever entering a password. The best implementations of passkeys don’t even need a username.

Passkeys end up being safer and more convenient than passwords because they work in a fundamentally different way. Passwords are what you’d call a “shared secret” in the world of cybersecurity. You know the secret, and so does the service you’re signing in to. The problem is that you have to remember that secret, and you aren’t fully in control of it, as you have to share that secret with whatever service you’re using. A data breach and a little decryption time are all that's needed to end up with a compromised account, and you didn't even do anything wrong.

Passkeys use public-key cryptography. Instead of matching a shared secret, public-key cryptography works by matching a pair of keys—a public key that anyone can see, and a private key that only you have access to. It’s safer because only you have access to your private key, and it’s easier because that key is bound to some device you own and usually secured with biometrics.

Passkeys are safe, even more so than a long, random password. When you sign in with a passkey, you send a handful of information to the service you’re signing into, including your public key, which is stored as a representation of you as a user. This information alone doesn’t do anything.

On the device where you created the passkey, you'll have to engage in a “challenge” to unlock your private key, usually some form of biometric authentication. If the challenge is successful, it’s signed and sent back to the service you’re trying to log into. That challenge is then checked against the public key, and if it’s a match, you’re given access. Critically, this authentication happens on your device, not on a server far away.

With a password, there’s a ton of room for an attacker to potentially steal your password. Data breaches might expose your password, and even if it’s encrypted, it can be cracked. Phishing schemes are an easy vector of attack for hackers looking to steal passwords. And, if you’re using a service with spotty security practices, you could have a password exposed as plaintext in a breach; there are dozens and dozens of examples of this happening before.

Passkeys are tricky because they fly in the face of security conventions that have been around for years—namely, two-factor (2FA) or multifactor authentication (MFA). Although you don’t need to plug in a code from a text or copy something over from an authenticator app, passkeys inherently use multifactor authentication. It just happens so fast that it’s easy to miss.

MFA is about adding additional layers of protection beyond your password. Instead of just your password, you need it and a code texted to you, for example. Passkeys already work that way. You need to match the public-private key pair, but you also need to authenticate that you have access to that private key, usually with biometrics. It’s not “something you know and something you own,” as 2FA is normally described, but it’s still two layers of authentication.

Here's how Shikiar describes it: “When you sign in, the service issues a cryptographic challenge that can only be answered with the private key on your device, verified by something you have (like your phone or laptop) and often something you are (like a biometric). The result is a phishing-resistant login with no reusable credentials to steal.”

Passkeys are broadly integrated at an operating system level. If you’re using an OS that doesn’t natively support passkeys—i.e., Linux—you can still use them. However, you’ll need to use another device, like your phone, to scan a QR code and authenticate yourself, or a third-party password manager.

Here are the operating systems that fully support passkeys:

• Android 9 or newer
• iOS [and iPadOS] 16 or newer
• macOS 13 (Ventura) or newer
• Windows 10/11 23H2 or newer

Each one of these operating systems supports passkeys for native apps, as well as in your browser. Chromium supports passkeys, which covers the vast majority of browsers available, including Brave, Opera, Vivaldi, and Google Chrome. The major non-Chromium browser, Mozilla Firefox, also supports passkeys on version 122 or newer.

To use passkeys, you need to store them somewhere. The major operating systems that support passkeys already include a way to store them, but they aren’t created equally.

You need to set up Windows Hello to use passkeys on Windows 10 or Windows 11. You might have set it up during installation, but if not, you can enable it in the Settings app by clicking Accounts > Sign-in options. Whenever you want to use a passkey, you’ll need to authenticate with Windows Hello, be it with your face, fingerprint, or PIN.

Windows 10 or 11, version 23H2 or later, will prompt you to use a passkey whenever you attempt to sign in to a supported service on a supported browser (or through a native Windows app). Unlike other operating systems, these passkeys aren’t synced across your devices. They only work on your Windows device.

Both macOS and iOS [and iPadOS] store passkeys on your iCloud Keychain, so you’ll need to turn your Keychain on if it’s not already enabled. You can turn it on in the Settings app by following Apple ID > iCloud > Passwords and Keychain. You’ll need to enable 2FA for your Apple ID to use iCloud Keychain.

Similar to Windows, you’ll be prompted to create a passkey whenever you create a new account with a service that supports passkeys. If you want to add a passkey to an already created account, you’ll have to do so through that application’s settings. Unlike Windows, these passkeys work across devices, assuming you have access to your iCloud Keychain.

In newer versions of macOS (version 15 and later), it’s much easier to create and manage passkeys through the dedicated Passwords app.

iOS [and iPadOS] follows the same principles as macOS when it comes to Passkeys. They’re stored in your iCloud Keychain and synced across your devices. In iOS [and iPadOS] 18 and newer, you can manage passkeys in the dedicated Passwords app, and in older versions, you can find them in your settings.

iOS via Jacob Roach

 

iOS via Jacob Roach

Android 9 and newer versions support passkeys, but in different forms. By default, passkeys in Android will use the Google Password Manager, which is tied to your Google Account and syncs across your devices. On Android 14 and newer, you can choose to store your passkeys elsewhere, such as in a third-party password manager.

Passkeys in a Password Manager

If you want all your passkeys on all your devices, operating system be damned, you need a password manager. Most of the best password managers support passkeys, allowing you to store and sync them on nearly any device. I personally use 1Password, but services like NordPass, Bitwarden, and Dashlane also support passkeys. You can create and store passkeys with a password manager on Android and iOS [and iPadOS].

There are only a few places where you can store and sync passkeys, but plenty of services support passkeys for signing in. The usual suspects include Microsoft, Adobe, Amazon, Google, and Apple, but there are still many websites and apps that don’t support passkeys.

You can find a handful of directories that claim to hold a complete list of apps that support passkeys with a quick Google search. 1Password maintains one directory, as do a couple of B2B services, including a directory from Hanko and another from OwnID. These aren’t complete lists. Meta apps like Facebook and Instagram aren’t listed, for example, despite adding support for passkeys in June 2025.

The best directory I’ve come across is from a nonprofit called 2factorauth in Sweden. It’s hosted on GitHub, updated constantly, and critically, maintained by the community. It’s the most up-to-date I’ve found, and apps are even organized into categories so you can, for instance, pick a VPN service that supports passkeys.

Passkeys were built to replace passwords, but we’re in the middle of a long, arduous transition to get there. It requires every app, device, and operating system to adopt a new standard of authentication and ditch a model we've been using for decades throughout our entire digital lives.

The inflection point is well underway, though. With major services adopting passkeys, it’s possible to use them across your most important accounts. If nothing else, it’s worth using passkeys on accounts that are connected to others, such as your Google or Facebook account if you use social sign-on features.

Despite offering clear security advantages, passkeys aren't a (excuse the pun) turnkey solution for better security. As Shikiar puts it, “Passkeys secure the front door, but organizations still need to harden the entire identity journey, ranging from onboarding and recovery to session management.”

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 4 September 2025 at 4:14 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

The makers of the open source authenticator 2Fas Auth have expanded this year into password manager territories. Their 2Fas Pass application is open source and was launched just a few months ago.

2Fas Pass uses the same design principles as the oganization's authenticator app. It is designed with security and privacy in mind and follows the organization's local-first principle. Its zero-knowledge architecture protects data at rest and while in transit.

First, the basics. The password manager is available as a native app for Android and iOS only. You can install browser extensions to integrate it with desktop operating systems, but still need to run the mobile app as data needs to be retrieved from the application.

You can install the app free of charge and are not required to create an account. The very first thing you need to do after installation of the password manager is to generate secret words and set a master password. The first part happens automatically, the second asks for a password that needs to be at least nine characters long.

Once you have set the local password you are good to go. You need to download the vault decryption kit as a PDF or print it. This is the only option to restore access to the password database if you forget the password.

The password manager can import or export passwords. It supports a wide range of password services, including 1Password, Bitwarden, browsers like Chrome or Firefox, or LastPass. There is also an option to import a backup of 2Fas Pass passwords, for instance to move the database to another device.

2Fas Pass free vs. paid

The free version has three main restrictions. First, you can only save up to 200 items in the password manager. Second, you can't sync the passwords between devices. Third, you can only install and use one browser extension. The paid version removes the restrictions and costs about $10 per year. It is for you to decide whether the restrictions are too limiting.

Security tiers for passwords

One interesting feature of 2Fas Pass is the ability to set security tiers for passwords.  The password manager supports secret, highly secret, and top secret tiers.

The main differentiating factor is access to the passwords. Secret passwords work with autofill and are also available in the browser extensions. Highly secret passwords become available only after you complete an additional confirmation step. Top secret passwords, finally, are isolated and they do not support autofill at all.

Closing Words

2Fas Pass is a new open source password with an interesting option to set the security level of individual passwords and a security- and local-first design. Desktop users may find the lack of dedicated desktop apps problematic. The limits of the free version may also keep some users from making the switch. While many may not run into the 200 passwords limit, restricting extension installations to just one browser could keep some users from even trying the password manager.

The price of a subscription is reasonable on the other hand and the only way for the organization to fund development and support.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 3 September 2025 at 5:35 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

The search giant said that its protections are able to block more than 99.9% of phishing and malware attempts. It said that security is taken incredibly seriously by the firm and continues to invest, innovate, and communicate on security. While it is true that phishers are always trying to find methods to infiltrate users’ inboxes, the security warning Google is talking about isn’t true.

The security warning Google is referring to isn't mentioned in its post, but there are numerous news reports stating that 2.5 billion Gmail users are at risk and that Google has told them to change their passwords. The search giant denies this.

To help users secure against malicious actors, Google has several best practices for users to enhance their protection. One recommendation it has is to use secure password alternatives like passkeys. It also has a series of best practices that users can follow to stay safe, they can be summarized as follows:

• Pay attention to warnings from Google
• Never respond to requests for private info
• Don’t enter your password after clicking a link in a message
• Beware of messages that sound urgent or too good to be true
• Stop & think before you click

The primary message from Google is that claims of a major Gmail security warning are false. The measures Google has in place already are strong enough to deal with most breach attempts. By following the best practices, you can also make it harder for attackers to break into your account.

Let us know in the comments if you've begun using passkeys and whether you prefer them over passwords.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 3 September 2025 at 3:35 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

In volumetric DDoS attacks, attackers overwhelm the target with massive amounts of data, consuming the bandwidth or exhausting system resources, leaving legitimate users with no access to the targeted servers and services.

"Cloudflare's defenses have been working overtime. Over the past few weeks, we've autonomously blocked hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps," the company said in a Tuesday tweet.

"The 11.5 Tbps attack was a UDP flood that mainly came from Google Cloud," it stated, while showing in an attached image that the attack only lasted approximately 35 seconds.

This comes two months after Cloudflare announced another record-breaking 7.3 Tbps DDoS attack targeting an unnamed hosting provider in June. The previous record was of 3.8 Tbps and two billion packets per second (pps) in an attack that Cloudflare also blocked in October 2024.

Microsoft also mitigated a 3.47 Tbps volumetric DDoS attack in January 2022, when the attackers targeted an Azure customer from Asia. Another massive DDoS attack took down and disrupted multiple Microsoft 365 and Azure services worldwide in July 2024.

In April, Cloudflare also revealed in its 2025 Q1 DDoS Report that it mitigated a record number of DDoS attacks in 2024, with a 198% quarter-over-quarter increase and a massive 358% year-over-year jump.

As the company stated, it mitigated a total of 21.3 million DDoS attacks that targeted Cloudflare's customers last year, as well as its own infrastructure in 6.6 million attacks over an 18-day multi-vector campaign.

"Of the 20.5 million DDoS attacks, 16.8M were network-layer DDoS attacks, and of those 6.6M targeted Cloudflare's network infrastructure directly," Cloudflare said at the time.

"These attacks were part of an 18 day multi-vector DDoS campaign comprising SYN flood attacks, Mirai-generated DDoS attacks, SSDP amplification attacks to name a few."

The most significant spike was seen by network-layer attacks, which also saw the sharpest growth since the start of 2025, reaching a 509% YoY increase.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 3 September 2025 at 3:34 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

For those of us in the UK, the Online Safety Act is now a reality. Services we use daily will require age verification for access to some, or all of its content, all in the name of ensuring underage users don't see stuff they're not supposed to.

That includes gaming platforms such as Xbox and Steam. In the case of the latter, its owner, Valve, has now outlined how it intends to comply with the new law (via GamingOnLinux). And it's surprisingly sensible and uncontroversial.

Here's the breakdown from the official notice on the Steam Support page:

"In order to access Steam store pages for mature content games as well as their associated community hubs, you need to be logged into an active user account and explicitly opt-in through the account settings page.For UK users, this opt-in process requires age verification. Your UK Steam user account is considered age verified for as long as a valid credit card is stored on the account."