Also: Your Salesforce Community site might be leaking; a new CPU side-channel; and this week's critical vunls
You may have heard news this week that Google is finally updating its authenticator app to add Google account synchronization. Before you rush to ensure your two-factor secrets are safe in the event you lose your device, take heed: The sync process isn't end-to-end encrypted.
by two-man developer and security research team Mysk, which said it found the problem by analyzing network traffic during the secret-syncing process.we've covered in the past, this means the seed used to generate 2FA codes is being transmitted without E2EE and is likely visible to Google when stored on its servers. Because seeds are being synced to a Google account, an account compromise would mean all those second factors are compromised, too.to reassure users they shouldn't be concerned because"we're always focused on the safety and security of Google users and the newest update to Google Authenticator was no exception." Brand said Google encrypts data in transit and at rest across its products. He asserted that E2EE provides extra protections, but at the cost of potentially being locked out of one's data without a recovery option. Brand added that Google is beginning to roll out E2EE in some of its products and has plans to add it to Authenticator in the future, but a Google spokesperson toldit didn't have a date to share when that may happen. Aside from that statement, Google referred us to Brand's comments. Along with those claims, Brand also said that Google believes"our current product strikes the right balance for most users and provides significant benefits over offline use," that offline alternative being the way the app functioned prior to the update. Brand mentioned the offline option would remain an alternative"for those who prefer to manage their backup strategy themselves." Our advice – especially for those that use Google Authenticator for work-related 2FA – would be to take advantage of that offline option. At least until Google can ensure its attempt to make one-time codes"Salesforce Community users, check those user permissions Users of Salesforce Community – a cloud-based tool that lets businesses spin up quick customer-facing websites – have a problem: Many of them aren't properly configuring user permissions, so they're leaking private data. Community websites allow administrators to set separate permissions for authenticated users and guests, the latter of whom can access limited features without signing in. As reported by, a security researcher has found a"shocking number" of Community websites are leaking data because administrators are mistakenly granting guests access to internal resources. This isn't a limited problem, either: Several banks, healthcare providers, and even state governments have been found exposing sensitive patient and customer data, said security researcher Charan Akiri. Akiri claims he's written a program that's identified hundreds of misconfigured sites. So now's the perfect time to double-check that admin console.Maybe all the cyber criminals had their eyes turned to RSA this week, because it was somewhat quiet on the vulnerability front.: Illumina's Universal Copy Service on a number of products contains a pair of flaws that could allow an attacker to take any action at the OS level.: Keysight N8844A Data Analytics Web Service improperly deserializes untrusted data, allowing for remote code execution. The vulnerable product has been discontinued. CISA also warned this week that the Service Location Protocol, commonly used by network-capable printers and also by VMware software, contains an as-yet unrated vulnerability that could allow an unauthenticated remote attacker to register arbitrary services and conduct a denial of service attack using SLP to spoof UDP traffic for attack amplification. CISA recommends disabling or restricting network access to SLP servers to avoid the issue.: VMware Workstation Pro and VMware Fusion contain a stack-based buffer overflow vulnerability in how they share Bluetooth devices with virtual machines that can allow an attacker to execute code as the VM's VMX process. Patches are available.Just when you thought it was safe to go back in the water, another
United Kingdom Latest News, United Kingdom Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Road-Testing The New AI Shopping Tool Fashion Editors Can’t Get Enough OfDespite its relative infancy, Google Lens already racks up more than ten billion searches a month. Joy Montgomery breaks down the technology’s potential impact for shoppers.
Read more »
The Google Pixel Fold design gets revealed in full in leaked imagesLooks pretty Pixel-y
Read more »
Judge Rules against Google, Allows Antitrust Case to ProceedA judge ruled the lawsuit alleging Google wields monopolistic power in the world of online advertising can proceed
Read more »
Airlines dispute adds headwinds to US-China relationship\n\t\t\tJournalists in 50+ countries explore developments in global commerce from every perspective.\n\t\t\tFor Premium subscribers, we offer our dedicated ‘FT Free Trade’ newsletter every Tuesday and Thursday.\n\t\t
Read more »
Google Pixel 7a design and colors leak out in unboxing imagesThere's a new blue
Read more »
China’s Mars rover finds signs of ‘modern’ waterAWS adds Korean support; Singtel targets; Philippines SIM registration drive extended
Read more »