Warning: session_start(): open(/tmp/sess_silu8h60jkcj86uo0bvdtca5t6, O_RDWR) failed: Disk quota exceeded (122) in /home/buysella/public_html/wp-content/themes/boombox/includes/rate-and-vote-restrictions/vote/class-boombox-vote-restriction.php on line 193

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/buysella/public_html/wp-content/themes/boombox/includes/rate-and-vote-restrictions/vote/class-boombox-vote-restriction.php:193) in /home/buysella/public_html/wp-content/themes/boombox/includes/rate-and-vote-restrictions/vote/class-boombox-vote-restriction.php on line 193

Warning: session_write_close(): open(/tmp/sess_silu8h60jkcj86uo0bvdtca5t6, O_RDWR) failed: Disk quota exceeded (122) in /home/buysella/public_html/wp-content/themes/boombox/includes/rate-and-vote-restrictions/vote/class-boombox-vote-restriction.php on line 196

Warning: session_write_close(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in /home/buysella/public_html/wp-content/themes/boombox/includes/rate-and-vote-restrictions/vote/class-boombox-vote-restriction.php on line 196
Hackers can seize practically all your online accounts, and it's your voicemail's fault – Viral Trends

Hackers can seize practically all your online accounts, and it's your voicemail's fault



Who would have thought that, in the end, it would be the humble voicemail that would do us all in?

Your Google, Microsoft, Apple, WhatsApp, and even Signal accounts all have an Achilles’ heel — the same one, in fact. And it turns out that if you’re not careful, a hacker could use that weakness to take over your online identity. 

Or so claims self-described “security geek” Martin Vigo. Speaking to an enthusiastic collection of hackers and security researchers at the annual DEF CON convention in Las Vegas, Vigo explained how he managed to reset passwords for a wide-ranging set of online accounts by taking advantage of the weakest link in the security chain: your voicemail.

You see, he explained to the crowd, when requesting a password reset on services like WhatsApp, you have the option of requesting that you receive a call with the reset code. If you happen to miss the phone call, the automated service will leave a message with the code.  

But what if it wasn’t you trying to reset your password, but a hacker? And what if that hacker also had access to your voicemail?

Here’s the thing: Vigo wrote an automated script that can almost effortlessly bruteforce most voicemail passwords without the phone’s owner ever knowing. With that access, you could get an online account’s password reset code and, consequently, control of the account itself.

Vigo, letting us know we should probably all disable our voicemails.

Image: Jack MOrse/mashable

And no, your two-factor authentication won’t stop a hacker from resetting your password. 

One of Vigo’s slides laid out the basic structure of the attack:

1. Bruteforce voicemail system, ideally using backdoor numbers

2. Ensure calls go straight to voicemail (call flooding, OSINT, HLR)

3. Start password reset process using “Call me” feature

4. Listen to the recorded message containing the secret code

5. Profit!

A recorded demo he played on stage showed a variation of this attack on a PayPal account. 

“In three, two, one, boom — there it is,” Vigo said to audience applause. “We just compromised PayPal.”

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2018%2f8%2f0cebc2c6 b866 fad5%2fthumb%2f00001

Vigo was careful to note that he responsibly disclosed the vulnerabilities to the affected companies, but got a less than satisfactory response from many. He plans to post a modified version of his code to Github on Monday. 

Notably, he reassures us that he altered the code so that researchers can verify that it works, but also so that script kiddies won’t be able to start resetting passwords left and right. 

So, now that we know this threat exists, what can we do to protect ourselves? Vigo, thankfully, has a few suggestions. 

First and foremost, disable your voicemail. If you can’t do that for whatever reason, use the longest possible PIN code that is also random. Next, try not to provide your phone number to online services unless you absolutely have to for 2FA. In general, try to use authenticator apps over SMS-based 2FA.

But, really, the most effective of those options is shutting your voicemail down completely. Which, and let’s be honest here, you’ve likely been looking for a reason to do anyway. You can thank Vigo for providing you with the excuse. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f85091%2fa32d7063 b4aa 45e5 8762 30703ada18bd



Source link

Your reaction?
Cute Cute
0
Cute
Fail Fail
0
Fail
Geeky Geeky
0
Geeky
Lol Lol
0
Lol
Love Love
0
Love
Omg Omg
0
Omg
Win Win
0
Win
Wtf Wtf
0
Wtf

Leave a Reply

Your email address will not be published. Required fields are marked *

log in

reset password

Back to
log in