Defender is excellent, but it's only Achilles heel is that it relies heavily on the cloud intelligence. If the endpoint gets a virus when not connected to the internet (say using a USB key on a plane) then Defender is basically the world's stupidest antivirus. This has been tested extensively by the PC security channel and by others. Of course, it's a rare scenario for most users but it's still important to consider.
And the bad guys obviously test their virus with defender to make sure it doesnt get detected because Defender is what almost everyone uses. Sure it might get detected later but if you distribute that virus via email a lot of people are going to open it within a short timeframe. I'm still convinced that the only really effective measure is to quarantine most attachments (except non risky files like pdfs) with a mail gateway and have an IT person look at it before it gets delievered to the end user.
Defender is useless on anything else than win11. On win10 the malware can just add itself to the exclusion using the registry, which does not even require admin privileges. Additionally, Defender lacks tons of features compared to other solutions, like preventing credential dumping from LSASS. This can be tuned in ASR, but good luck with BSOD.
It’s a common web app weakness, OWASP has even its own testing instructions for validating the server side Session state is invalidated (WSTG-SESS-06).
I have a workflow where at least for some admin, I'll spin up the windows sandbox, do the work, and close it off. There are things that won't work in that flow, but its a useful one to try and see where you can make use of.
This is awesome, spreading the knowledge to the tech community to inform, educate and help implement best practice solutions to mitigate risk. Looks Like Linus TT needs to make use of your services to review their systems, a collaborative Video perhaps. Gre.. at work sorry I just have to move the mice around so I looked like a 1337 hacker dude, most of the industry expert already moved on to against saving passwords with daily image restore on all their machines.... sessions was killed with cookie delete addon on firefox. Logging inn is fucking annoying that's why the most crucial software that might hold the credential is on a 15 min timer, while every other login in permanent... except for cookies that are allowed 2 hour.. Every morning IT loads a image to our computers, every morning+1 minute every hour a scrip makes sure nobody is that dumb.
Seems like we need to have some kind of token authentication system (used when the associated token suddenly comes from another IP address, for example). Maybe the client's TPM could do a secure key exchange with the server at the initial sign on to be able to periodically reauthenticate and make sure that token is only being used by the originating device. It wouldn't completely eliminate the threat of a compromised device, but all attacks would have to come through _that_ device and couldn't be from any random machine on the Internet.
I had a similar thought, like what if they used the session token in conjunction with a browser fingerprint. If they use the IP then even moving from mobile onto a persons wifi then they might have to re-login, but the browser fingerprint wouldn't change as long as its the same person on the same device using the same browser. I guess a smart crook could swipe the fingerprint though 🤷♂
No good if you are moving around, maybe mobile. Perhaps have the token linked to the browser and machine. That way it wouldn’t work on any other machine even if copied.
@@SirHackaL0t. what he proposes is a 2 step procedure. Either you've got the same IP, if that isn't the case you need to verify device identity with something that's difficult to fake, like TPM. That latter (fallback) step would ensure it's still working on mobile. I'm not certain whether that 2 step process is actually beneficial tho. Perhaps it'd be better to always use the TPM, that's simpler, and harder to attack. IP based identification is not very secure, anyone connected to the same WAN can still do the same attack. That's going to be the situation with WLAN, also many public WLANs, and also many other ISPs group large customer groups behind a single WAN these days, eg. Starlink does that. So unless that'd make every request super slow (which is very possible) I'd avoid that.
I could see why Microsoft wanted to enforce TPM requirement for Windows 11 before people complained about it. I've added TPM module to my motherboards at home just to have it in case Linux can make use of it.
@@9SMTM6 I have zero first-hand knowledge of TPMs (and similar cryptographic chips) in the wild, but my understanding was that TPMs (as they are implemented today) are kind of slow, and you don't necessarily want to have more than a couple of services actively trying to use one at any given time. I might be completely mistaken. I just figured the tokens are easier to implement/manage and you'd just use cryptographic authentication as needed (depending on the specific needs of the situation).
man this just happened to me cause my dumbass downloaded something naughty. every account i have ever signed up for was stolen. it took me a whole week of contacting every customer service from everything. thankfully i didnt have anything on my steam that would have been nasty. but yeah this bypassed every 2fa i had. ridiculous
Recently had the same thing happen luckily caught it relatively early. Luckily i had 2fa on most accounts and could log out from those sessions on my phone. Still clearing some of the damage. In a weird way thankfull though real wake-up call, now everything is secured with those temp pass codes (secure on phone with biometrics) and 2fa after if possible.
I use the extension cookie auto delete that deletes cookies upon leaving/changing the domain or closing a tab. I can’t remember how I did this, but I put exceptions in place so it doesn’t ask for my 2FA codes every time, but it does ask for my password every time I go to the sites. But now you’re making me worry about trusting the extension since it has access to my cookies…
Great info! I would add settings for session revocation is important. On our balance of convivence vs annoyance we have user sessions expire in 12 hours on O365/Azure integrated logins when using a browser and use a PAM solution to rotate passwords/keys for priv accounts :)
As part of the log in process the server can profile the browser and set the token, but that profile is being stored as a cookie on that browser so when you copy it to another system it matches the profile.
PLS HELP i opened a virus file and all my accounts are getting compromised without email or 2fa warnings. Im guessing its the tokens. But how do i actually save my self. Do i just wait? How can i reset tokens? Im talking everything on chrome.
I've opted not to even keep cookies in my browsers. There's no point for me to have a session active if I'm not actively on the page. Leaves you open for attack.
Luke brought up something during the Wan Show Livestream that is good wake up call, why are most OAuth systems not doing any validation on the source of the request, such as change country, etc.
@@CottonInDerTube and you are assuming all attackers do, I'm talking on a general sense, LTT attack was clearly targeted. You can't stop all social engineering attacks, etc, however the more barriers you add, the harder it is for an attacker, which might protect the small guys.
Could web browsers not encrypt their offline storage on disk? Though I suppose that would involve the user having to enter a passphrase or something when it was launched. Even so, would be a nice option to have.
I don't get it, why can anything on the system just read the browser's data? Doing so should require a privilege elevation prompt, or a browser/system exploit, to access.
This is awesome, spreading the knowledge to the tech community to inform, educate and help implement best practice solutions to mitigate risk. Looks Like Linus TT needs to make use of your services to review their systems, a collaborative Video perhaps. Great work.
This is really only a "surface" look on this whole matter, since a theoretical attack would be from another IP entirely with the same token. I'm more interested in how this would behave if you were to suddenly have another IP, potentially from the same country via a VPN tho, and if platforms like Google, Twitter and Co. would recognize this sudden weird change.
Sorry if a noob question : is oauth vulnerable in the same way? Let's say I'm not staying logged in, in my browser but my mail program like Outlook / thunderbird
Would something like azure ad conditional access be used to mitigate this by only allowing certain public ip's to login, or be using an intune device, or do these conditional access rules only kick in during authentication and once a token is assigned it can bypass conditional access?
You need to use a special Conditional Access policy called "Token Protection" which will continuously check for a binding between the token and the device (or an IP address) for each request to certain M365 services. This CA policy is in preview atm and will only be available for Entra P2 licences when it goes GA
Been thinking about this: how about keeping (groups of) logins separate using chrome profiles? Say a profile for work, one for shopping, etc... (I am already half doing this to keep Microsoft work/private accounts separate). Any drawbacks to this? Good video, cheers.
The stealer malware’s read the cookies from the profile files (and technically this is easier if it’s a idle profile). The only thing which might help here is using a master password. (And Google could have implemented token binding, but they chose to remove it 5years ago at the moment they had standardized it)
I do this with Firefox. Mostly so that I don't have 25 Firefox windows open with 100+ tabs in each. I open the profile I need for whatever I'm doing and close it when I'm done with it. What might work (for Firefox, at least) would be running in private browsing mode (That's, "incognito," for Chrome? Which I refuse to use. "Don't be ev... You know what? Never mind. We're goin' evil.") for anything you're putting a password in for like devices on your LAN. Do the token stealers really look for multiple profiles? I suppose they might since people often share a computer.
If you're asking me, the summary is that he was letting a bunch of other windows users login as him with his two-factor Authentication. That's the recipe right there
@@LAWRENCESYSTEMS Something as simple as your logo would have been a lot more professional. You could display a lot of things, but this just looks silly, belongs to some script-kiddie & hacker-wonnabie tailored channel among anonymous masks and other foolery. So, yes, even a blank screen would have been better that this.
Virus total does not work on 100meg files oe 200 meg files look at the file size limits they pad the files with 0000000000000000000 like this to increase the size so virus total is usalless until they increase the size
I wonder why RUclips or other web sites do not validate session tokens with something else like IP addresses? And then revalidate if it does not match within a given time period. I'm not blaming the website only, the user has some responsibility as well, but both should play their part.
The point is, in today's world, why are they relying on a single authentication interaction, especially when they tell us we should be following zero trust principles.
I used XCP-NG because their is just the one token named "token", Google uses a few more which have made the demo more complicated for the demonstration but trust me it works the same.
cant google make a sandbox app or an add on that isolate your browser from your system so your system cant copy your token directly? also i just moved country with my pc and google account did not logout. google just assume Im using a vpn. However I never used a vpn from this country so this should be very sus and log me out.
Google has a product which protects your system from malware like the virus in the LTT example. Chromebooks are impervious to system-level malware because their system files are read-only. Same thing with some other versions of Linux and I believe recent versions of the MacOS.
Thank you so much for this video. May i ask if i signed out of an account then re signed in again, will the saved session token for this site on the browser be refreshed with new a one ? TIA
Forgive me if this is ignorant, but can n't these SAAS services implement a rule that automatically invalidates a session token if the IP location or browser ID changes?
The problem is that they are using cookies for tokens. Saving a token plainly in a cookie is almost equivalent to making it public. For example you can have a browser plugin that encrypts it on storage, or browsers can make this a feature.
I'd run a VM just for advertising email traffic, maybe go a step further and VLAN the NIC interface for only WAN access if I'm feeling extra tinfoil-hattish
You obviously don’t know what you are talking about. Or do explain to us how the MAC addresses work in a local network, behind a router and then on the Internet…
MAC is just for the local network the system is attached to. Google balances the changing of IP VS the inconvenience for forcing people to log in all the time.
Oh yeah, “trust your browser password manager”. I wouldn’t as there is no master password and it is TRIVIAL to extract them once the bad guys have access to the system! But let’s remember those words in 6-9 months.
Cookies are NOT stored in pw managers. The server "tells" the browser to store a cookie. Browser does this. A pw manager stores the login credentials to be ABLE to login and receive a cookie.
Not all browsers do that. Actually, I believe the only browser I know that does that by default if Firefox. Chrom(inum) uses the System Keychain on Linux, and I believe it's asking you to set a PW on Windows - could misremember that tho -, Safari uses Apple Keychain. As much as I like Firefox, that's been really annoying to me when I realized that behavior. Firefox also doesn't protect against UTF-8 based "homographic" attacks, and PWA support is lacking. It's a sad world, more and more they either can't or don't want to keep up.
Cmon! Not so fast! Of course this works so easily as the fake login came from the SAME machine / IP address! Now go try the same from a machine behind a DIFFERENT IP address! REGARDLESS, once you have an intruder in your network, we know your security was not the best, and it also means they HAVE YOU.
@@estusflask982 you mean like change location from USA to say, Ukraine in a few minutes or hours? They can at least try! Google does ask for verification every time I login from a new device, even on the same public IP address.
Defender is excellent, but it's only Achilles heel is that it relies heavily on the cloud intelligence. If the endpoint gets a virus when not connected to the internet (say using a USB key on a plane) then Defender is basically the world's stupidest antivirus. This has been tested extensively by the PC security channel and by others. Of course, it's a rare scenario for most users but it's still important to consider.
And the bad guys obviously test their virus with defender to make sure it doesnt get detected because Defender is what almost everyone uses. Sure it might get detected later but if you distribute that virus via email a lot of people are going to open it within a short timeframe. I'm still convinced that the only really effective measure is to quarantine most attachments (except non risky files like pdfs) with a mail gateway and have an IT person look at it before it gets delievered to the end user.
It's easy to disable too and the first thing malware targets
@@RichardPhillips1066 that's not just a defender issue, most half way decent attackers can bypass the common anti virus/malware product's
Defender is useless on anything else than win11. On win10 the malware can just add itself to the exclusion using the registry, which does not even require admin privileges. Additionally, Defender lacks tons of features compared to other solutions, like preventing credential dumping from LSASS. This can be tuned in ASR, but good luck with BSOD.
Why when you hit sign out it did not delete that token ?
Yeah I was wondering that too. What does sign out actually do if it doesn't invalidate the token?
It’s a common web app weakness, OWASP has even its own testing instructions for validating the server side Session state is invalidated (WSTG-SESS-06).
@@skasaflicit
Maybe signing out is a false sense of security.
The way I understood it, when he signed out, the token was still there but the username & password access had no ability to get into the page.
I have a workflow where at least for some admin, I'll spin up the windows sandbox, do the work, and close it off. There are things that won't work in that flow, but its a useful one to try and see where you can make use of.
This is awesome, spreading the knowledge to the tech community to inform, educate and help implement best practice solutions to mitigate risk. Looks Like Linus TT needs to make use of your services to review their systems, a collaborative Video perhaps. Gre..
at work sorry I just have to move the mice around so I looked like a 1337 hacker dude, most of the industry expert already moved on to against saving passwords with daily image restore on all their machines.... sessions was killed with cookie delete addon on firefox.
Logging inn is fucking annoying that's why the most crucial software that might hold the credential is on a 15 min timer, while every other login in permanent... except for cookies that are allowed 2 hour..
Every morning IT loads a image to our computers, every morning+1 minute every hour a scrip makes sure nobody is that dumb.
Hi, is this possible with all sites like for example office 365?
why does this channel not have more subscribers! great content keep it up 👍
Seems like we need to have some kind of token authentication system (used when the associated token suddenly comes from another IP address, for example). Maybe the client's TPM could do a secure key exchange with the server at the initial sign on to be able to periodically reauthenticate and make sure that token is only being used by the originating device. It wouldn't completely eliminate the threat of a compromised device, but all attacks would have to come through _that_ device and couldn't be from any random machine on the Internet.
I had a similar thought, like what if they used the session token in conjunction with a browser fingerprint. If they use the IP then even moving from mobile onto a persons wifi then they might have to re-login, but the browser fingerprint wouldn't change as long as its the same person on the same device using the same browser. I guess a smart crook could swipe the fingerprint though 🤷♂
No good if you are moving around, maybe mobile. Perhaps have the token linked to the browser and machine. That way it wouldn’t work on any other machine even if copied.
@@SirHackaL0t. what he proposes is a 2 step procedure. Either you've got the same IP, if that isn't the case you need to verify device identity with something that's difficult to fake, like TPM.
That latter (fallback) step would ensure it's still working on mobile.
I'm not certain whether that 2 step process is actually beneficial tho. Perhaps it'd be better to always use the TPM, that's simpler, and harder to attack. IP based identification is not very secure, anyone connected to the same WAN can still do the same attack. That's going to be the situation with WLAN, also many public WLANs, and also many other ISPs group large customer groups behind a single WAN these days, eg. Starlink does that. So unless that'd make every request super slow (which is very possible) I'd avoid that.
I could see why Microsoft wanted to enforce TPM requirement for Windows 11 before people complained about it. I've added TPM module to my motherboards at home just to have it in case Linux can make use of it.
@@9SMTM6 I have zero first-hand knowledge of TPMs (and similar cryptographic chips) in the wild, but my understanding was that TPMs (as they are implemented today) are kind of slow, and you don't necessarily want to have more than a couple of services actively trying to use one at any given time. I might be completely mistaken. I just figured the tokens are easier to implement/manage and you'd just use cryptographic authentication as needed (depending on the specific needs of the situation).
Dang! Conceptually I understood how cookie stealing worked, but I didn’t realize how easy it was to do!
It’s a shame that the token isn’t linked to the browser. That way if it’s moved to another machine or browser then it would be invalid.
man this just happened to me cause my dumbass downloaded something naughty. every account i have ever signed up for was stolen. it took me a whole week of contacting every customer service from everything. thankfully i didnt have anything on my steam that would have been nasty. but yeah this bypassed every 2fa i had. ridiculous
Recently had the same thing happen luckily caught it relatively early. Luckily i had 2fa on most accounts and could log out from those sessions on my phone. Still clearing some of the damage. In a weird way thankfull though real wake-up call, now everything is secured with those temp pass codes (secure on phone with biometrics) and 2fa after if possible.
I use the extension cookie auto delete that deletes cookies upon leaving/changing the domain or closing a tab. I can’t remember how I did this, but I put exceptions in place so it doesn’t ask for my 2FA codes every time, but it does ask for my password every time I go to the sites. But now you’re making me worry about trusting the extension since it has access to my cookies…
Great info! I would add settings for session revocation is important. On our balance of convivence vs annoyance we have user sessions expire in 12 hours on O365/Azure integrated logins when using a browser and use a PAM solution to rotate passwords/keys for priv accounts :)
Great info! Thank you. Looks like I'm going down another rabbit hole for security 😆
Got my facebook account hacked yesterday, I was able to recover it & now I'm doing my research on how to stay safe, thank you Lawrence!
why can't that token, be associated with that browser on that device?
so that if it leaves that browser & or that device it will fail?
As part of the log in process the server can profile the browser and set the token, but that profile is being stored as a cookie on that browser so when you copy it to another system it matches the profile.
Google saves the login if you click remember me
PLS HELP
i opened a virus file and all my accounts are getting compromised without email or 2fa warnings. Im guessing its the tokens. But how do i actually save my self. Do i just wait? How can i reset tokens? Im talking everything on chrome.
Keep up the great work
I've opted not to even keep cookies in my browsers. There's no point for me to have a session active if I'm not actively on the page. Leaves you open for attack.
Thanks Tom. Again easy to understand and great commentary.
Tom, this was a great video. The tips at the end really help and the last tip changed my mind.
Glad it was helpful!
Luke brought up something during the Wan Show Livestream that is good wake up call, why are most OAuth systems not doing any validation on the source of the request, such as change country, etc.
YOu missed the part where they mentioned that the attacker used a VPN so the calls where made in his region.
@@CottonInDerTube no I didn't
@@ralmslb Well then you would know that an attacker just uses a VPN and chooses the target country -
which(what?) they did.
@@CottonInDerTube and you are assuming all attackers do, I'm talking on a general sense, LTT attack was clearly targeted. You can't stop all social engineering attacks, etc, however the more barriers you add, the harder it is for an attacker, which might protect the small guys.
Could web browsers not encrypt their offline storage on disk? Though I suppose that would involve the user having to enter a passphrase or something when it was launched.
Even so, would be a nice option to have.
I don't get it, why can anything on the system just read the browser's data? Doing so should require a privilege elevation prompt, or a browser/system exploit, to access.
Not anything, but anything operating at your user level or higher.
This is awesome, spreading the knowledge to the tech community to inform, educate and help implement best practice solutions to mitigate risk. Looks Like Linus TT needs to make use of your services to review their systems, a collaborative Video perhaps. Great work.
What about using a VPN does this add any security? Can they steal tokens if you login from Iphone? Do apps also have session tokens?
VPN doesn't make a difference and this works in a similar way but not quite the same way on phone apps.
This is really only a "surface" look on this whole matter, since a theoretical attack would be from another IP entirely with the same token. I'm more interested in how this would behave if you were to suddenly have another IP, potentially from the same country via a VPN tho, and if platforms like Google, Twitter and Co. would recognize this sudden weird change.
I never stay login to admin accounts and encourge others to do so.
What's going on with the background computer?
It's a Linux package called hollywood.
Sorry if a noob question : is oauth vulnerable in the same way? Let's say I'm not staying logged in, in my browser but my mail program like Outlook / thunderbird
Similar way as it would still set the tokens
@@LAWRENCESYSTEMS thanks, and so this means encryption for laptops is really a must do….
Great Video!
Wtf was this.
Would something like azure ad conditional access be used to mitigate this by only allowing certain public ip's to login, or be using an intune device, or do these conditional access rules only kick in during authentication and once a token is assigned it can bypass conditional access?
Using Azure AD conditional access is a good idea to help mitigate this issue.
You need to use a special Conditional Access policy called "Token Protection" which will continuously check for a binding between the token and the device (or an IP address) for each request to certain M365 services. This CA policy is in preview atm and will only be available for Entra P2 licences when it goes GA
Been thinking about this: how about keeping (groups of) logins separate using chrome profiles? Say a profile for work, one for shopping, etc... (I am already half doing this to keep Microsoft work/private accounts separate). Any drawbacks to this?
Good video, cheers.
The stealer malware’s read the cookies from the profile files (and technically this is easier if it’s a idle profile). The only thing which might help here is using a master password. (And Google could have implemented token binding, but they chose to remove it 5years ago at the moment they had standardized it)
@@berndeckenfels Ah so that's actually a bad idea. Thanks for clarifying. Don't do that use incognito mode.
I do this with Firefox. Mostly so that I don't have 25 Firefox windows open with 100+ tabs in each. I open the profile I need for whatever I'm doing and close it when I'm done with it.
What might work (for Firefox, at least) would be running in private browsing mode (That's, "incognito," for Chrome? Which I refuse to use. "Don't be ev... You know what? Never mind. We're goin' evil.") for anything you're putting a password in for like devices on your LAN.
Do the token stealers really look for multiple profiles? I suppose they might since people often share a computer.
If you're asking me, the summary is that he was letting a bunch of other windows users login as him with his two-factor Authentication. That's the recipe right there
Admins can also just straight up block file extensions from ever reaching a clients email.
can't take anyone seriously with similar BS going on a monitor in the background
It's a Linux package called hollywood, you don't like it? Is a blank screen preferred?
@@LAWRENCESYSTEMS Something as simple as your logo would have been a lot more professional. You could display a lot of things, but this just looks silly, belongs to some script-kiddie & hacker-wonnabie tailored channel among anonymous masks and other foolery.
So, yes, even a blank screen would have been better that this.
Problem, they are probably going to steal the cookie while your signed in ?
I was super annoyed about this whats the point in 2fa with exploits like this
Virus total does not work on 100meg files oe 200 meg files look at the file size limits they pad the files with 0000000000000000000 like this to increase the size so virus total is usalless until they increase the size
does using firefox multi container help midigate stuff like that
windows===poop
virus total doesnt catch malware downloading from third party or persistent software ,
however ,
this guy is spot on n super good , ty
Ugh broken logout … should delete token of course (and also not list them)
I wonder why RUclips or other web sites do not validate session tokens with something else like IP addresses? And then revalidate if it does not match within a given time period. I'm not blaming the website only, the user has some responsibility as well, but both should play their part.
Browser remote control Trojans.
Ip’s change - example, outlook logged into exchange on your phone. Your phone roams from wifi to wifi to lte.
Maybe link to browser id for that machine. Then it wouldn’t work on any other machine.
The point is, in today's world, why are they relying on a single authentication interaction, especially when they tell us we should be following zero trust principles.
I use Linux. Email is logged out after a set time.
But how does this apply to Google and RUclips?
I have checked my gmail session and it doesn't have that cookie named "token".
I used XCP-NG because their is just the one token named "token", Google uses a few more which have made the demo more complicated for the demonstration but trust me it works the same.
cant google make a sandbox app or an add on that isolate your browser from your system so your system cant copy your token directly?
also i just moved country with my pc and google account did not logout. google just assume Im using a vpn. However I never used a vpn from this country so this should be very sus and log me out.
Google has a product which protects your system from malware like the virus in the LTT example. Chromebooks are impervious to system-level malware because their system files are read-only. Same thing with some other versions of Linux and I believe recent versions of the MacOS.
Nice info and cool glasses 😎
Thank you so much for this video. May i ask if i signed out of an account then re signed in again, will the saved session token for this site on the browser be refreshed with new a one ? TIA
Yes
Would windows encryption on the folders containing Cookies prevent this?
No as they need to be decrypted in order for the browser to use them.
Loving the new intro Tom!
Convenient = Insecure
What about turning off saving season cookies in the Browser? I think ? I've seen that
You could do that, or just use incognito windows that clear all that out when you close things.
Could you do a video showing this on macos or explaining why it wouldn’t work ?
It works the same on Mac/Windows/Linux
Forgive me if this is ignorant, but can
n't these SAAS services implement a rule that automatically invalidates a session token if the IP location or browser ID changes?
They could, but this comes back to security / convenience discussion. Forcing log in each time would work, but it would be annoying.
The problem is that they are using cookies for tokens. Saving a token plainly in a cookie is almost equivalent to making it public. For example you can have a browser plugin that encrypts it on storage, or browsers can make this a feature.
I would never have imagined something so simple and easy to dupe would be the backbone of internet security. Thank you for spreading awareness.
I'd run a VM just for advertising email traffic, maybe go a step further and VLAN the NIC interface for only WAN access if I'm feeling extra tinfoil-hattish
RUclips could fix the issue today by restricting session tokens to specific IP/MAC addresses.
You obviously don’t know what you are talking about.
Or do explain to us how the MAC addresses work in a local network, behind a router and then on the Internet…
@@pepeshopping ?
MAC is just for the local network the system is attached to. Google balances the changing of IP VS the inconvenience for forcing people to log in all the time.
@@LAWRENCESYSTEMS MAC addresses are still unique enough for the solution to work.
Oh yeah, “trust your browser password manager”.
I wouldn’t as there is no master password and it is TRIVIAL to extract them once the bad guys have access to the system!
But let’s remember those words in 6-9 months.
I am pretty sure he ment to use a browser extension for you password manager of choice
Cookies are NOT stored in pw managers.
The server "tells" the browser to store a cookie. Browser does this.
A pw manager stores the login credentials to be ABLE to login and receive a cookie.
Not all browsers do that. Actually, I believe the only browser I know that does that by default if Firefox.
Chrom(inum) uses the System Keychain on Linux, and I believe it's asking you to set a PW on Windows - could misremember that tho -, Safari uses Apple Keychain.
As much as I like Firefox, that's been really annoying to me when I realized that behavior. Firefox also doesn't protect against UTF-8 based "homographic" attacks, and PWA support is lacking. It's a sad world, more and more they either can't or don't want to keep up.
Cmon! Not so fast!
Of course this works so easily as the fake login came from the SAME machine / IP address!
Now go try the same from a machine behind a DIFFERENT IP address!
REGARDLESS, once you have an intruder in your network, we know your security was not the best, and it also means they HAVE YOU.
Many sites don't check the IP address of the token, partially because it may be a mobile or VPN user that has changed IP addresses.
@@estusflask982 you mean like change location from USA to say, Ukraine in a few minutes or hours?
They can at least try!
Google does ask for verification every time I login from a new device, even on the same public IP address.