9/15/2023 0 Comments Cookie log robloxI imagine ROBLOX could implement a similar system as mine. This means that if you log in with my cookie, and your IP has never used my account, you will encounter a “Verify Your Password” page before you have access to the account. They must enter their password in order to gain access, in which the IP will be appended to the user’s IP list. If you have never used that IP with that account before, the account is locked, and the user will encounter a “Verify Your Password” page. The website checks if your IP is in your list of used IPs (roblox has a list of used IPs like me). You’re now technically logged in as me, cool. My website uses the exact same system as ROBLOX, however here’s where I fixed this issue. I knew I could trust her and I’ve made sure my account is secure again after we tested this. Why isn’t there a hash of the MAC or IP address in the cookie that prevents people from using it to get into accounts? What other measures can we take so that even if our cookie gets out, our accounts are still safe? We’re just as vulnerable as we’ve always been, even now that 2FA has finally been released.įinally, a little disclaimer: I was fully aware of the risks of giving out my cookie and that I wouldn’t have given it to anyone else. There aren’t any measures in place to make sure that the cookie is bound to a computer or even a network. The point is, if you can manage to get the cookie contents (as people have been doing for the longest time!), you can still get into someone’s account regardless of two factor authentication. Considering how easy it is for people to gain access to this cookie, I feel like we’re back to square one with account security. Then I went into EditThisCookie and sent her the contents of my ROBLOSECURITY - which is one of the main attack vectors for account stealing, mind you - and after less than a minute she was logged in as me, completely bypassing 2FA and any other security measures in place on my account. I received an email, and she wasn’t allowed in. Turns out, not a whole lot, because one of the main attack vectors is still completely open.īasically, the testing went as follows: I’ve enabled 2FA on my account, changed my password, and asked her to log in with that password. So, I’ve had a bit of a boost in confidence with 2FA, but and I decided to test how much more secure we are now because of it.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |