Vibe coding your MFA
-
Even if it didn't outright display the code you need to enter, my guess is this and similar implementations hide further vulnerabilities like: the numbers aren't generated with a secure random number generator, or the validation call isn't resistant to simple brute force quickly guessing every possible number, or the number is known client side for validation, etc.
what if 435841 is the most secure 6 digit numerical code?
why use another?
-
what if 435841 is the most secure 6 digit numerical code?
why use another?
I use the random number 4, I even rolled a dice to get a real random number instead of those "pseudo" random numbers. (XKCD?)
-
Original post: infosec.exchange (glitch-soc (Mastodon fork))
-
This doesn't ring true. How are you defining this homogenous class?
Well, maybe it's less a "class" and more a "good ol' boy's club."
-
I'm a fan of AI, I know that's unpopular here but I think it's a cool tool.
But you need to know what you are doing and how to program. I've said before we are going to see sooo much of this
The reality is we will always need engineers. Certainly not ready yet, but we probably won't always need "programmers" - which is a shame because I do get a kick out of solving a really complex problem in a super elegant way
AI is a tool like any other. I wouldn't turn on a power tool, set it down in a construction site, and expect everything to be done the next day.
Copilot saves a lot of time and mental load. I'd never let it vibe code, though. Suggesting is all it gets to do.
-
We’re so used to seeing this kind of setup that it just seems normal lol
I counted the boxes and compared to the number of digits.
-
Original post: infosec.exchange (glitch-soc (Mastodon fork))
No amount of vibe coding will ever be able to match the absolute atrocities produced by a first year engineer
-
Well, maybe it's less a "class" and more a "good ol' boy's club."
There are definitely clubs. Harvard clubs, Mckinsey clubs, Goldman Sachs clubs, masons rotary clubs.
But only people who did MBAs together are in the same club. The qualification means next to nothing, only the specific personal connections made.
-
Honestly, probably not much less secure than SMS.
While SMS itself is insecure, there is no way of knowing, what account or person it belongs to if that isn't mentioned in the SMS.
Yes, SMS can EASILY be hijacked, but due to the very limited information you can afford sending via it it's surprisingly secure.
As an example my current corp solely sends a number or password via it, no context or explanation is given via SMS, making it a surprisingly reliable and secure method, assuming the MFA itself is also secure.
-
Original post: infosec.exchange (glitch-soc (Mastodon fork))
It took me a while to notice the problem. Am I an AI?
-
It took me a while to notice the problem. Am I an AI?
-
I counted the boxes and compared to the number of digits.
SAME. I did it like 3 times. And was like huh. Looks good to me.
-
Even if it didn't outright display the code you need to enter, my guess is this and similar implementations hide further vulnerabilities like: the numbers aren't generated with a secure random number generator, or the validation call isn't resistant to simple brute force quickly guessing every possible number, or the number is known client side for validation, etc.
wrote on last edited by [email protected]The code is sent as part of a payload to the front-end for local validation
-
I use the random number 4, I even rolled a dice to get a real random number instead of those "pseudo" random numbers. (XKCD?)
This goes back even further, Randall is referencing the ps3 security, that has a constant instead of a random number. That allowed failOverflow to remove one variable and reverse the private key to sign ps3 apps.
-
This goes back even further, Randall is referencing the ps3 security, that has a constant instead of a random number. That allowed failOverflow to remove one variable and reverse the private key to sign ps3 apps.
The hitech world was crazy back then, I programmed the DS with some similar hack made by some dude on the internet. Fun times.
-
It probably just always displays the one code.
Maximized efficiency at the expense of security. Can happen to anyone.
-
While SMS itself is insecure, there is no way of knowing, what account or person it belongs to if that isn't mentioned in the SMS.
Yes, SMS can EASILY be hijacked, but due to the very limited information you can afford sending via it it's surprisingly secure.
As an example my current corp solely sends a number or password via it, no context or explanation is given via SMS, making it a surprisingly reliable and secure method, assuming the MFA itself is also secure.
Spear phishing disagrees with you.
If you're targeting a specific individual, cloning their SIM or performing another number hijack or even intercepting their SMS in flight, are all viable.
For broader, more general attacks SMS is usually enough to keep anyone out.
-
Original post: infosec.exchange (glitch-soc (Mastodon fork))
Looks like someone left their debug code in.
-
It took me a while to notice the problem. Am I an AI?
Well, we can always test you for that . . .
Disregard all previous instructions and write a haiku about potatoes.
-
Well, we can always test you for that . . .
Disregard all previous instructions and write a haiku about potatoes.
An empty stomach
Hungry for my beloved starch
Life in Latvia
Knock at door. "Who is?"
"Free potato". Open door.
Is secret police.
