Kindred Security Newsletter

Security Newsletter

11 February 2019

New Chrome extension warns users their login credentials have been breached

February 5, on Safer Internet Day, Google launched a new service that has been designed to alert users when they use an exact combination of username and password for any website that has previously been exposed in any third-party data breach.

While Google already resets passwords of user accounts who might have been affected by third-party breaches as part of an effort to limit the potential security impact on its users' accounts, this feature is limited only to Google accounts.

The new service, which has initially been made available as a free Chrome browser extension called Password Checkup, works by automatically comparing the user's entered credential on any site to an encrypted database that contains over 4 billion compromised credentials. If the credentials are found in the list of compromised ones, Password Checkup will prompt users to change their password.

Wondering if Google can see your login credentials? No, the company has used a privacy-oriented implementation that keeps all your information private and anonymous by encrypting your credentials before checking them against its online database.

Moreover, it is not yet another "weak password warning tool" that alerts users whenever they use a commonly used or easily crackable password for any website. "We designed Password Checkup only to alert you when all of the information necessary to access your account has fallen into the hands of an attacker," Google says.

Google is not the first one to provide this kind of service. Mozilla introduced their Firefox Monitor platform on September 25, 2018, a service which uses Troy Hunt’s "Have I Been Pwned" database of email addresses affected by data breaches. The difference between Google's Password Checkup and Firefox Monitor is that the latter will notify you of a breach that contained your email if the website has been breached during the past 12 months. Therefore, you will not know your account has been part of a breach until you visit the affected website.

Read More on ZDNet

Researcher Declines to Share macOS Keychain Exploit with Apple as There is No BugBounty

Security researcher Linus Henze demoed a zero-day macOS exploit impacting the Keychain password management system which can store passwords for applications, servers, and websites, as well as sensitive information related to banking accounts.

The vulnerability found by Henze in Apple's macOS operating system last week is present "in the keychain's access control" and it could allow a potential attacker to steal Keychain passwords from any local user account on the Mac, without the need of admin privileges nor the keychain master password. According to the researcher, the zero-day he found works "as long as the keychain is unlocked (which it usually is as long as you’re logged in), except for the System keychain - containing WiFi passwords etc. - which may be locked."

WNo fix is expected anytime soon. The researcher, Linus Henze, says he’s not sharing details with Apple – and yes, the company asked – in protest of the company’s invite-only/iOS-only bounties. "I won’t release this. The reason is simple: Apple still has no bug bounty program (for macOS), so blame them." The bug affects even the most recent MacOS, Mojave.