Thus, an attacker who somehow learned someone else’s credentials (for example, through a phishing attack or brute force) can log into the TikTok account through the site.

“This lapse in TikTok’s MFA implementation opens the door for scenarios where a malicious threat actor could bypass MFA by logging into an account with compromised credentials via its website, rather than the mobile app.”, — writes ZDNet journalists.

Fortunately, through the web version, hackers cannot change the user’s password and completely take over someone else’s account. Basically, all an attacker can do is upload and publish a new video, for example, to ruin an account’s reputation or advertise a fraudulent product on behalf of a popular user. The publication also notes that hacked accounts can be used to spread disinformation, propaganda, and so on.

Journalists note that the TikTok mobile app does not notify the user in any way about active sessions in the web version. This essentially means that TikTok doesn’t warn users at all if someone has used their credentials and logged into the account through a browser.

“It’s a well-known fact that Facebook and other companies have abused 2-factor SMS signups, and a clear indicator that TikTok has done something similar is the reality that the TikTok 2-factor is an illusion, and totally optional when using the website login features”, — told ZDNet security researcher Zach Edwards.

TikTok developers have already promised to fix the problem and extend multi-factor authentication to the site too, but they have not named any specific time frame yet.

“In the meantime, users who have enabled MFA for their TikTok account for security reasons should not be lowering their guard and reuse passwords from other accounts, thinking MFA blocks all attackers. These users should continue to use complex and hard-to-guess passwords”, — advised in TikTok company.

ZDNet notes that the login page is protected by a CAPTCHA, which means users can hardly expect a wave of automated attacks and massive compromises of TikTok accounts.

Let me remind you that earlier this year, researchers managed to hack TikTok using SMS.

The post Attackers can bypass TikTok multi-factor authentication through the site appeared first on Gridinsoft Blog.

Recently, users more and more often receive phishing emails with fake warnings about suspicious activity of a recorded account or strange changes made to the repository or settings.

“The links attached to such messages lead to a fake GitHub login page, created specifically to collect the victim’s credentials and transmit them to the attackers”, – argue GitHub representatives.

GitHub experts also note that this campaign has several noteworthy aspects. For example, a phishing page is capable of intercepting two-factor authentication codes that are generated using a TOTP application (time-based one-time password).

This allows attackers to attack 2FA protected accounts. It is emphasized that users with security keys are not affected by the problem.

Phishing emails often come from legitimate domains (which have been hacked). So, the list of phishing domains noticed by GitHub experts includes git-hub[.]Co, githb[.]Co, glthub[.]Net, glthubs[.]Com and corp-github[.]Com.

“At the same time, attacks targeted not at all users in a row, but mainly at active users working in large technology companies. Obviously, the attackers take the email addresses that the developers used for public commits”, – say GitHub researchers.

Attackers also actively use URL reduction services to hide the final phishing address (sometimes they combine several URL reduction services at once to more reliably confuse traces). In some cases, victims are first sent to a hacked legitimate site and only then directly to a phishing page.

If the attack succeeds and the recorded data fell into the hands of attackers, often hackers immediately download the entire contents of private repositories available to the compromised user (including those belonging to organizations and other employees).

Users who have suffered from these attacks are asked to immediately reset their password and two-factor recovery codes, view their access tokens and take additional measures to protect their account. In addition to hardware keys or WebAuthn 2FA, it is recommended to use password managers.

Let me remind you that recently I wrote that a site with SSL is no longer a guarantee not to fall for the bait – almost three quarters of modern phishing sites use SSL.

The post GitHub warned users about phishing attack appeared first on Gridinsoft Blog.