 At this year's DEF CON conference in Las Vegas, white hat security researcher Marek Tóth demonstrated how threat actors could use a clickjack attack to surreptitiously trigger and hijack a passkey-based authentication ceremony. In the big picture, this is a story about how password managers could be tricked into divulging login information -- either traditional credentials such as user IDs and passwords or credential-like artifacts associated with passkeys -- to threat actors. Are password managers to blame? Tóth -- the researcher who discovered the exploit -- suggests that they are, but the answer is more complicated. Fully locking down any automated process is invariably the result of security in layers. Across the grand majority of use cases where digital security matters, there's almost never a single silver bullet that wards off hackers. Depending on the layers of technology that combine to complete a workflow (for example, logging into a website), responsibility for the security of that process is shared by the parties that control each of those layers. Yes, the password managers are one layer in stopping the exploit. But website operators and end-users -- the parties in control of the other layers -- must trade too much security for convenience in order for the exploit to work. Pointing fingers is useless. All parties at every layer must take action. Every summer, the cybersecurity industry gathers in Las Vegas for the back-to-back Black Hat and DEF CON conferences, where security researchers take turns presenting their "big reveals." During the year leading up to the event, these researchers work to discover new, unreported vulnerabilities. The bigger the vulnerability and the more users affected, the greater the attention (and possibly the financial reward) that awaits a researcher. This year, several researchers announced a handful of issues that challenged the supposed superiority of passkeys as a login credential. Unfortunately, despite their superiority, the passkey user experience varies so wildly from one website and app (collectively, "relying parties") to the next that passkeys risk being globally rejected by users. Despite these barriers to adoption, and in the name of doing the most to protect yourself (often from yourself), my recommendation continues to be: Take advantage of passkeys whenever possible. In the interest of delivering sound advice to ZDNET's readers, I always double-check the veracity of any headlines that challenge the viability and superior security of passkeys. Various reports emerged from this year's Black Hat and DEF CON, citing potential trouble in passkey paradise. The one that got the most attention came from Tóth, who -- under a combination of very specific technical preconditions -- has discovered a way to hijack passkey-based authentications while those authentications are in progress. Although the exploit happens in the blink of an eye, it involves a complicated set of interactions and preconditions that, taken together, present a series of non-trivial obstacles to the attacker's chances of success. At its heart, Toth's exploit never steals a user's passkey (one of the core tenets of passkeys is that they can't be stolen). But it essentially steals the next best thing. At the moment that a user is tricked into inadvertently authenticating to a website with a passkey, the exploit intercepts a payload of information that was manufactured by the user's password manager with the help of his or her passkey to that site. As described in part 5 of my series on How Passkeys Actually Work, this payload is called the PublicKeyCredential, and it's like a one-time single-use golden ticket that contains everything necessary for the user to log into their account on the legitimate website. Once the attacker gains possession of this golden ticket, it can be used to log the attacker's system into the victim's account as though the attacker's system is the victim's system. And that's exactly what this exploit does. After loading malware into the victim's browser, the exploit -- a malicious cross-site script (XSS) -- intercepts that golden ticket and, instead of presenting it for entry into the legitimate site (as the user's browser typically does at the request of the password manager), it sends it to the attacker's website. Then, with that golden ticket in hand, the attacker submits that same ticket from their own system to the legitimate website, effectively logging the attacker's system into the user's account on the legitimate website. But, as mentioned earlier, Tóth's discovery relies on the pre-existence of several conditions involving the website in question, the user's choice of password manager, how they have that password manager configured, and the website operator's choice of technology for adding the ability to authenticate with a passkey. Whether you're an end-user, the operator of a website, or the vendor of a password manager, it's important to understand these conditions because, once you do, you'll also understand the defense. You can also judge for yourself who among the involved parties is most responsible for the vulnerability. Read this complete 2 part article on Our Forum.  Microsoft says the 'Extended Security Updates' program is rolling out in waves and will be available to all by October 14, 2025. Microsoft is set to cut support for Windows 10 on October 14, 2025. This move has received a lot of backlash from users, with some blatantly expressing a preference for Windows 10 over Windows 11, citing flawed design elements and stringent minimum system requirements among their reasoning. While Windows 11 recently surpassed Windows 10 as the most dominant desktop operating system, a public interest group (PIRG) petitioned Microsoft to reconsider its decision to pull support for Windows 10, indicating that it could lead to the single biggest jump in junked computers ever. Consequently, Microsoft has seemingly provided Windows 10 with a "buffer zone", or grace period, after its end of support. For instance, Windows 10 users can enrol in Microsoft's Extended Security Updates (ESU) program, which will grant them an extra year of support. It's worth noting that the company recently changed the terms of the program from $30 per device to $30 for up to 10 devices. A Microsoft Account is also a mandatory requirement to make this payment. You can pay for the extended support program using 1,000 Microsoft Reward points if you don’t want to hand over any hard cash, either. Alternatively, Windows 10 users can opt to sync PC settings data with the cloud via a Microsoft Account to continue receiving security updates from Microsoft for an extra year for free. As you may know, enrolling your PC into the ESU program is done via a dedicated app that began rolling out in waves in July. However, October is fast approaching, and as it seems, a huge chunk of Windows 10 users are yet to gain access to the Extended Security Updates program. While Microsoft isn't leaving Windows 10 users completely high and dry after pulling the plug on the operating system, thanks to its ESU program, several groups have come out to indicate that it's not a viable solution for the over 400 million PCs that can't upgrade to Windows 11. The Restart Project group, which helped co-develop the "End of 10" toolkit to support Windows 10 users who can't upgrade to Windows 11, says Microsoft's move to continue pushing security updates to Windows 10 beyond its end-of-support feels like a last-minute snooze button, which only acts as a band-aid on a bleeding system. It's also calling on the political class to support: "Microsoft’s decision not only accelerates premature disposal but also undermines efforts to extend product lifespans and puts additional pressure on resource use and waste management systems." Elsewhere, a group called End of 10 has been pushing for users to transition to Linux as Windows 10's end-of-life approaches. The campaign encourages steadfast Windows 10 users to ditch the Windows ecosystem entirely and switch to a version of Linux on any outdated devices, using a lack of ads and telemetry tracking as the key selling points to get users to move over. At the end of the day, the ESU program is a temporary solution for the issue, as users will still need to transition to a supported operating system, likely Windows 11. Microsoft hasn't been shy about its push to get users to upgrade. For more visit OUR FORUM.  This story, originally published on August 7, has been updated with additional information following a demonstration of the shared service principal exploit at the Black Hat hacking conference in Las Vegas, which, in turn, follows a Microsoft Exchange vulnerability directive issued by CISA. Details of a newly announced protection that adds to the Microsoft Defender security arsenal have also been added to the article. Hot on the heels of an official security advisory from America’s Cyber Defense Agency warning of camera hack attacks, the U.S. Cybersecurity and Infrastructure Security Agency has issued another alert. This time, it impacts users of Microsoft Exchange Server and, without immediate remediation, could enable an attacker to escalate privileges and “impact the identity integrity of an organization’s Exchange Online service.” But it’s not all bad news on the Microsoft security front; the technology giant has confirmed new AI-powered protections to autonomously reverse engineer and classify malware, importantly, without any prior context requirement. Here’s what you need to know. There have been a number of security warnings impacting Microsoft users of late that may have caught your attention: the Windows JPEG hackers and, of course, the by now infamous SharePoint Server attacks to name but two. The very latest, however, comes with the added weight of a CISA alert attached. “CISA is aware of the newly disclosed high-severity vulnerability, CVE-2025-53786,” the August 6 advisory warned, “that allows a cyber threat actor with administrative access to an on-premise Microsoft Exchange server to escalate privileges by exploiting vulnerable hybrid-joined configurations.” Microsoft, meanwhile, has said that “starting in August 2025, we will begin temporarily blocking Exchange Web Services traffic using the Exchange Online shared service principal,” as part of a “phased strategy to speed up customer adoption of the dedicated Exchange hybrid app and making our customers’ environments more secure.” Although CISA confirmed that there has not been any observed active exploitation of CVE-2025-53786, it strongly urged organizations to follow the Microsoft guidance on this issue. CVE-2025-53786 is officially listed as a Microsoft Exchange Server Hybrid Deployment elevation of privilege vulnerability that follows an accompanying non-security hot fix when the hybrid deployments were announced on April 18. “Following further investigation,” the official Common Vulnerabilities and Exposures database entry reads, “Microsoft identified specific security implications tied to the guidance and configuration steps outlined in the April announcement.” CISA added that it “highly recommends entities disconnect public-facing versions of Exchange Server or SharePoint Server that have reached their end-of-life (EOL) or end-of-service from the internet.” A researcher from Outsider Security, Dirk-Jan Mollema, has now demonstrated how the shared service principal behind the latest CISA advisory and directive can be exploited. The demonstration, during a presentation at the Black Hat hacking conference in Las Vegas, went ahead after Microsoft was informed of its contents three weeks prior, Mollema told reporters from the Bleeping Computer cybersecurity site. As a result, the CVE-2025-53786 classification was made, and Microsoft issued the aforementioned mitigation guidance. "The report describing the possibilities for attackers was sent as a heads up to the Microsoft Security Response Center three weeks before Black Hat,” Mollema confirmed, adding that “aside from this guidance Microsoft also mitigated an attack path that could lead to full tenant compromise (Global Admin) from on-prem Exchange." The shared service principle being that, at least in such hybrid configurations as relevant to the Microsoft Exchange warning, both Exchange Online and on-premises servers share a relationship of trust that allows them to, supposedly securely, authenticate with each other. As the Black demonstration showed, provided the attacker has admin privileges for the on-premise Exchange server, so-called trusted tokens can be forged, and API calls manipulated, so as to appear perfectly legitimate as far as the cloud side of the authentication equation is concerned. Stay informed by visiting OUR FOTUM often. |
Latest Articles
|