Search the Community
Showing results for tags 'characters'.
Found 3 results
When a company is breached, the typical reaction is to increase security across the board. But Twitch, the Amazon-owned game streaming company, has decided to reduce the minimum number of characters in user passwords, thereby allowing users to have less secure logins, in response to customer complaints. The attack was announced yesterday on a company blog, whilst emails were also sent to concerned users. There’s little detail on the extent of the attack; Twitch simply said all user passwords were to be reset after it detected possible unauthorized access to some Twitch user account information. According to the email sent to users, some cryptographic protections were used on passwords, but it wasn’t clear how strong they were. And it said it was possible passwords could have been captured in plain text by malicious code when users logged into the site on 3 March. Various kinds of data could have been compromised, including credit card information, in particular card type, a truncated card number and the expiration date. Usernames and associated email addresses, passwords, the last IP address users logged in from, phone number, address and date of birth were also potentially stolen. With all that information, a hacker would have a good chance of stealing a victim’s identity. Users started to complain en masse across Twitch’s social networks, however. Some said they couldn’t remember their password, others said when they tried to change their passwords to anything less than 20 characters they weren’t allowed, due to the site’s restrictions. Texan Twitch customer Corbin Ellis told the company on their Facebook page that “if users want to use bad passwords, that’s their problem, not yours”. Twitch caved to customer demands, announcing it would reduce the limit on minimum password length to eight characters minimum. Web security expert Troy Hunt told FORBES more than eight was surprisingly restrictive. “But what’s disheartening about this is that users have apparently baulked at creating passwords longer than eight characters so are clearly not getting the message on what constitutes a strong ‘secret’.” Authentication expert Per Thorsheim said it didn’t make sense to lower the length requirement after a breach. “I’d say on the contrary in many cases. In this specific case they have dramatically lowered their requirements. From a security perspective this could be justified by new and better ways of sending, [encrypting] and storing your passwords.” If any more evidence was needed that the username-password paradigm is a flawed form of authentication, the Twitch breach has provided. sursa: Amazon's Twitch Hacked, Caves To Angry User Demands For Less Secure Passwords - Forbes si-au cam luat la mumu twitch...
If you're currently on a Mac computer and using a Chrome browser then a weird little Apple's OS X quirk, just a special thirteen-characters string could cause your tab in Chrome to crash instantly. A string of 13 characters (appear to be in Assyrian), shown below in an image, is all needed to crash any tab in Chrome for OS X, however, this text has no impact on Windows, Android, or iOS operating systems. This Chrome crash vulnerability has already been reported by an open-source project Chromium project, which means that Google is likely aware of this troublesome issue. What steps will reproduce the problem? Any page with [that special character] will crash the chrome tab on a Mac. Just create any dummy page with the unicode characters, and the Mac Chrome tab will crash hard. What is the expected result? Expect it not to crash What happens instead? It crashes Warning: Do not click on this link, which actually points to the bug report on the Chromium product describing the issue, if your are using Chrome on a Mac. If you’ll click, it will immediately cause the Chrome tab to crash in which the link opens. Emil Protalinski of VentureBeat says even the tab showing the news article also crashes for some readers. The issue appears to be small but is really serious, as it is possible for anyone to tweet out the text in question, and crash all Chrome for Mac users whose Twitter timeline will load those characters. The developer who discovered this bug gives two different scenarios in which this bug could be abused. "This is pretty serious. You could imagine someone spamming this message in Hangouts/Gmail and just straight-up force crashing all Mac Chrome browsers," the developer said. Furthermore, someone could post this 13-characters string on Facebook walls or timelines, and force-crash all Mac Chrome browsers that will saw the characters in question. VentureBeat notes that the Chrome crash doesn't happen every time, in some cases, when Chrome renders text differently, Mac users see 13 blank rectangles (????? ??? ?????) instead of the crash, though they never see the proper characters. It's currently not known why this character causes tab on Chrome to crash while page rendering, but we'll recommend you to do not use theses characters while Tweeting or dropping them in the comments or emailing them to the entire company or posting them to Facebook or as a headline of your blog post. If you are curious just how often and why your Chrome is crashing, you can type chrome://crashes into your location bar and press Enter to view the list of crashes. Source
A Firefox (>34) extension that breaks rotld.ro's audio CAPTCHA, with 100% accuracy. Flawed implementation RoTLD's audio CAPTCHAs are composed of 6 characters, in the a-f0-9 range. Each character is concatenated to the audio file, along with a header ("your captcha code is") and random amount of white noise between the characters. The major flaw is that the header, noise and characters are binary concatenated to the file (ie cat header.mp3 a.mp3 1.mp3 6.mp3 noise.mp3 d.mp3 b.mp3 f.mp3 > output.mp3), without resynthesizing the output. One can do a simple binary search for signatures and find the CAPTCHA code. Installation You can install by dragging the latest rotld_captcha.xpi file to your add-on page. Sursa: https://github.com/vladc/RoTLD-Captcha