this post was submitted on 05 Jul 2024
734 points (99.1% liked)

Technology

59446 readers
4775 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
top 50 comments
sorted by: hot top controversial new old
[–] kitnaht@lemmy.world 150 points 4 months ago (3 children)

'hacked'. Eh. There was an API endpoint left open that allowed them to basically just spam it with no rate limiting. They used the lack of a rate limit to just pull the data out of the API that it was made to produce.

[–] just_another_person@lemmy.world 175 points 4 months ago (24 children)

Yeah. They got data in a way that was not intended. That's a hack. It's not always about subverting something by clickity-clacking like in the movies.

[–] kitnaht@lemmy.world 30 points 4 months ago* (last edited 4 months ago) (9 children)

Exploit. The system worked as intended, just without a rate limit. A hack would be relying on a vulnerability in the software to make it not function as programmed.

It's the difference between finding a angle in a game world that causes your character to climb steeper than it should, vs rewriting memory locations to no-clip through everything. One causes the system to act in a way that it otherwise wouldn't (SQL injections, etc) -- the other, is using the system exactly as it was programmed.

Downloading videos from YouTube isn't "Hacking" YouTube. Even though it's using the API in a way it wasn't intended. Right-clicking a webpage and viewing the source code isn't hacking - even if the website you're looking at doesn't want you looking at the source.

[–] dezmd@lemmy.world 15 points 4 months ago (2 children)

Exploiting is hacking, quit being pedantic.

load more comments (2 replies)
load more comments (8 replies)
load more comments (22 replies)
[–] Cornelius_Wangenheim@lemmy.world 36 points 4 months ago* (last edited 4 months ago)

That's what most exploit-based hacks are. A developer makes a dumb mistake and then someone exploits it to do something they shouldn't be able to do.

load more comments (1 replies)
[–] Scrollone@feddit.it 109 points 4 months ago (4 children)

Companies need to stop using Authy. It's stupid and pointless when we have a open alternative such as the one used by Google Authenticator or Aegis.

[–] TheEighthDoctor@lemmy.world 43 points 4 months ago (6 children)

I started using Authy instead of GA because every time I changed the ROM on my phone I would lose all codes, because I would forget every time.

[–] Lem453@lemmy.ca 49 points 4 months ago (1 children)

Use aegis, export the keys and then reimport them every time you switch. Trusting your second factor to a cloud is a disaster waiting to happen.

If you want to get fancy setup your own cloud server (nextcloud, Seafile, owncloud etc) and set the backup folder for aegis to the self hosted cloud for easy restore every time you switch ROMs.

load more comments (1 replies)
[–] dev_null@lemmy.ml 13 points 4 months ago (2 children)

GA now backups your codes in your Google account, so this doesn't happen anymore.

load more comments (2 replies)
load more comments (4 replies)
[–] iamericandre@lemmy.world 21 points 4 months ago

Call my job and tell them this please. I have to use this shite everyday and it sucks.

[–] lazynooblet@lazysoci.al 17 points 4 months ago

I expect most usage of authy was based on the open TOTP protocol that Google etc use. The additional benefit was backing up those codes to the authy account, hence the avenue of attack on those accounts.

I agree though, Authy, especially since it was bought out, should be avoided. They deprecated their desktop app which was the only semi useful part of their suite, but I stopped using it years ago.

load more comments (1 replies)
[–] CombatWombat1212@lemmy.ml 69 points 4 months ago (1 children)
[–] Mr_Dr_Oink@lemmy.world 34 points 4 months ago (2 children)

Wow, it's literally the shazam logo, flipped horizontally and red.

Wonder who got paid to make that logo?

load more comments (2 replies)
[–] ugjka@lemmy.world 67 points 4 months ago (9 children)

I realized long time ago that I don't want my 2FA be tied to my phone number. And then i found you can't export your data from Authy because they know they are scummy fucks and don't want to anyone to leave

[–] maryjayjay@lemmy.world 11 points 4 months ago* (last edited 4 months ago) (3 children)

You can, though. But not through their app. Someone reverse engineered their protocol and wrote a program that connects like a new client, which you then approve, and it dumps all your random seeds into a text file. I then put them all into Keepass.

Edit: Unfortunately, the author has deprecated the project as Authy has added some attestations to their API, seemingly for this exact issue. https://github.com/alexzorin/authy?tab=readme-ov-file

[–] todd_bonzalez@lemm.ee 9 points 4 months ago (4 children)

People keep acting like Authy is betraying them by not having an export feature, but why exactly are you leaving Authy to begin with? Because they are a security risk?

You're gonna leave Authy a copy of your seeds? That defeats the purpose.

Re-key your MFA codes on the way out. Security isn't necessarily convenient.

load more comments (4 replies)
load more comments (2 replies)
load more comments (8 replies)
[–] net00@lemm.ee 28 points 4 months ago (17 children)

Now that authy has fucked us over with this, what should I move my 2fa codes into, any recommendations?

Unfortunately I can't use aegis on iOS/windows, does keepass have this functionality?

[–] CaptPretentious@lemmy.world 28 points 4 months ago (3 children)

Bitwarden would be my vote

[–] riplin@lemm.ee 10 points 4 months ago

I’ve been running a self-hosted Vaultwarden server with Bitwarden clients. It’s been perfect. The clients could use some usability work, but other than that, no complaints.

[–] kahdbrixk@feddit.de 10 points 4 months ago (2 children)

Just out of curiosity: is it wise to keep you MFA within your password safe? Like is that not the opposite of multi factor? I'm no troll, I'm seriously uninformed.

[–] AProfessional@lemmy.world 10 points 4 months ago* (last edited 4 months ago)

Realistically the threat we care about is others leak your password. So it doesn’t matter.

If you have a setup where your password vault is at risk then yes it’s a bad idea.

load more comments (1 replies)
load more comments (1 replies)
[–] foremanguy92_@lemmy.ml 18 points 4 months ago
[–] snek_boi@lemmy.ml 17 points 4 months ago (1 children)

These are not local solutions, but are cross-platform and open source: Bitwarden or Proton Pass.

[–] lud@lemm.ee 7 points 4 months ago (3 children)

Doesn't synced solutions completely defeat the purpose of MFA?

[–] JasonDJ@lemmy.zip 12 points 4 months ago* (last edited 4 months ago)

Not if you protect the master key with MFA, like a yubikey. Then it's cryptographically secure for quite a while..at least until quantum computing is affordable enough to be used against your data. Or the database and your yubikey and yourbpassphrase are compromised

load more comments (2 replies)
[–] Veraxus@lemmy.world 8 points 4 months ago

Most decent password managers (e.g. 1Password, Proton Pass) have MFA built-in. Use those.

[–] Natanael@slrpnk.net 8 points 4 months ago (1 children)

Most KeePass clones have it now, i use Keepass2Android plus KeePassX on PC

load more comments (1 replies)
[–] padge@lemmy.zip 8 points 4 months ago* (last edited 4 months ago) (2 children)

I like 1Password's built in MFA support, if it's a really sensitive account I use Google Authenticator because I haven't bothered researching better local alternative

Edit: Going to try Aegis for the more sensitive logins, looks like what I'm looking for

load more comments (2 replies)
load more comments (11 replies)
[–] mobsenpai@lemmy.world 25 points 4 months ago

lol. I am glad I became privacy conscious before this happened.

[–] snailfact@infosec.pub 24 points 4 months ago (1 children)
load more comments (1 replies)
[–] Interstellar_1@lemmy.blahaj.zone 23 points 4 months ago
[–] FlavoredButtHair@lemmy.world 21 points 4 months ago (6 children)

Deleted my Authy account, Thankfully I only had indeed and humble bundle attached.

load more comments (6 replies)
[–] 9point6@lemmy.world 18 points 4 months ago* (last edited 4 months ago) (13 children)

Does anyone have a suggested alternative for authy? (Please read the whole post before responding)

I'd love to go with an open source solution as I've done with my password manager, but that doesn't seem possible with one of my big requirements:

Scenario: I've had my phone robbed abroad and managed to buy a new one and loaded my ESIM back into it—I need to recover access to my 2 factor database via SMS so I'm able to log into my cloud storage and access my password database.

At this point I'd probably be happy to host a service myself on something like AWS and use SNS for this requirement, but I'm not sure anything like that exists ready to go. I'm not particularly interested in rolling something myself for this.

I'd be dubious of jumping from one closed source product to another, but if there's a particularly good option I'm all ears, I've been otherwise happy with authy for about a decade now, but this plus the retirement of the desktop app have me looking elsewhere.

Edit: added emphasis

[–] beerclue@lemmy.world 36 points 4 months ago (5 children)

I use Aegis, which I periodically back up manually off phone.

load more comments (5 replies)
[–] ikidd@lemmy.world 11 points 4 months ago (9 children)

Bitwarden has 2FA built in, and you can host it yourself if you want.

load more comments (9 replies)
[–] Matth78@lemm.ee 10 points 4 months ago* (last edited 4 months ago) (12 children)

Aegis is often recommended as an open source solution : https://github.com/beemdevelopment/Aegis

load more comments (12 replies)
load more comments (10 replies)
[–] Mio@feddit.nu 14 points 4 months ago (1 children)

I left Authy a couple of years ago when I realized that I can own my own data. I use KeepassXC. For sync, just syncthing. Both free and I 100 % control of it.

Any online password manager is in my opinion is stupid as it will sooner or later get hacked - info leak. Some may not even apply zero-knowledge about the passwords.

load more comments (1 replies)
[–] narc0tic_bird@lemm.ee 14 points 4 months ago (1 children)

Why does it require a phone number to use?!

[–] Wispy2891@lemmy.world 18 points 4 months ago (4 children)

They wanted to let companies pay for a non standard 2fa code generation tied to the phone number as it was easier than the mainstream option that was the almost abandoned google authenticator that didn't allow backups.

Cloudflare, humble bundle used that scheme and I hated them for that. Seems that now that plan failed and essentially now authy is a money-losing operation for twilio and this shows on the unsecured API access that allowed the hack

load more comments (4 replies)
[–] ___@lemm.ee 12 points 4 months ago (1 children)

Friendly reminder to change your master password. You’re one SIM jack away from having your life locked away for ransom. They didn’t breach the seeds, but next time who knows. I would start migrating and changing 2FA codes just in case. You never know who might be spraying.

load more comments (1 replies)
[–] AlexanderESmith@social.alexanderesmith.com 10 points 4 months ago* (last edited 4 months ago) (3 children)

Stop. Trusting. Cloud/SAAS. Security. Apps.

Don't give them your passwords and private keys, because you can never know of they're being stored responsibly, or who has access to them.

Don't give them your personal details, they don't care about protecting user anonymity.

Keep your keys and passwords in local, encrypted files, and generate your TOTPs locally.

"But that's not convenient!" - It's plenty convenient, find an app that supports your phone's biometrics. There are plenty on both Android and iPhone that also work in Windows/MacOS/Linux.

"What if I lose my phone?" - Keep your files backed up. If you don't do this, you deserve to get locked out. Fear of losing data is a good thing, it keeps you vigilant. Apathy gets you another of these stories.

There are plenty of apps that encrypt local storage for security keys and code generation. Stop allowing these tech bros to create ~~honeypots~~ catnip for hackers, and making you pay them for the privilege of being an easy target.

Edit: I've been using "honeypot" wrong. It would actually be good if the hackers tried to hack one of those.

[–] 9point6@lemmy.world 11 points 4 months ago (4 children)

"What if I lose my phone?"

I've referenced this scenario in a comment elsewhere in the thread. You've missed the problem in your solution.

A backup is useless if I can't access it when I need to. In the scenario where I'm far from home and have only got a replacement phone to work with, I need a way to access my OTP database (with only my phone number as a 2nd factor, thanks to ESIM provisioning) so I can get to my cloud storage for my password database.

This is a real scenario that doesn't seem covered by most options and people seem to keep glossing over it (And before anyone says that's not likely, I've been in that exact scenario before)

load more comments (4 replies)
load more comments (2 replies)
load more comments
view more: next ›