Enlarge (credit: Getty Images)

Attackers have transformed hundreds of hacked sites running WordPress software into command-and-control servers that force visitors’ browsers to perform password-cracking attacks.

A web search for the JavaScript that performs the attack showed it was hosted on 708 sites at the time this post went live on Ars, up from 500 two days ago. Denis Sinegubko, the researcher who spotted the campaign, said at the time that he had seen thousands of visitor computers running the script, which caused them to reach out to thousands of domains in an attempt to guess the passwords of usernames with accounts on them.

Visitors unwittingly recruited

“This is how thousands of visitors across hundreds of infected websites unknowingly and simultaneously try to bruteforce thousands of other third-party WordPress sites,” Sinegubko wrote . “And since the requests come from the browsers of real visitors, you can imagine this is a challenge to filter and block such requests.”

Enlarge / Close up of hand holding smartphone and screen applications with unlocking mobile phones. Concept of technological safety. (credit: Getty Images)

By now, you’ve probably heard about a vulnerability named AutoSpill, which can leak credentials from any of the seven leading password managers for Android. The threat it poses is real, but it’s also more limited and easier to contain than much of the coverage to date has recognized.

This FAQ dives into the many nuances that make AutoSpill hard for most people (yours truly included) to understand. This post wouldn't have been possible without invaluable assistance from Alesandro Ortiz , a researcher who discovered a similar vulnerability in Chrome in 2020.

Q: What is AutoSpill?

Enlarge (credit: Victor De Schwanberg/Science Photo Library via Getty Images)

Despite more than a decade of reminding, prodding, and downright nagging, a surprising number of developers still can’t bring themselves to keep their code free of credentials that provide the keys to their kingdoms to anyone who takes the time to look for them.

The lapse stems from immature coding practices in which developers embed cryptographic keys, security tokens, passwords, and other forms of credentials directly into the source code they write. The credentials make it easy for the underlying program to access databases or cloud services necessary for it to work as intended. I published one such PSA in 2013 after discovering simple searches that turned up dozens of accounts that appeared to expose credentials securing computer-to-server SSH accounts. One of the credentials appeared to grant access to an account on Chromium.org, the repository that stores the source code for Google's open source browser.

In 2015, Uber learned the hard way just how damaging the practice can be. One or more developers for the ride service had embedded a unique security key into code and then shared that code on a public GitHub page. Hackers then copied the key and used it to access an internal Uber database and, from there, steal sensitive data belonging to 50,000 Uber drivers.

Enlarge (credit: Getty Images)

All-In-One Security, a WordPress security plugin installed on more than 1 million websites, has issued a security update after being caught three weeks ago logging plaintext passwords and storing them in a database accessible to website admins.

The passwords were logged when users of a site using the plugin, typically abbreviated as AIOS, logged in, the developer of AIOS said Thursday . The developer said the logging was the result of a bug introduced in May in version 5.1.9. Version 5.2.0 released Thursday fixes the bug and also “deletes the problematic data from the database.” The database was available to people with administrative access to the website.

A major security transgression

A representative of AIOS wrote in an email that “gaining anything from this defect requires being logged in with the highest-level administrative privileges, or equivalent. i.e. It can be exploited by a rogue admin who can already do such things because he's an admin.”

Enlarge / Abandon all hope, ye who choose a password here. (credit: Neal.fun/Neal Agarwal)

I once worked at a small-town newspaper, part of a micro-chain of four publications. There was one young guy who oversaw "IT" for all four sites, and he occasionally tried to impose IT-like rules, like making us change our publication software passwords every few weeks. Did "password1234" protect our ink-stained souls, whereas "password123" would have meant doom? Who can say?

I chafed at this occasional performative security. In a fit of pique, I decided my rotating password scheme would be the IT manager's license plate, followed by whatever I had for lunch that day. I thought myself quite clever, even if, a few months later, I forgot I had typed in "turkeyhoagie" instead of "turkeysub" earlier that new-password day, and I had to call said IT manager for a reset. I have no idea if he saw my password before he provided the replacement. I still felt clever, even in defeat.

"Clever, yet defeated" came rushing back to me as I marched through The Password Game , a web-based text box of tears from Neal Agarwal. The game has been trending its way through social media since its official release yesterday , and understandably so. We only get so many of these "Pure enjoyment on the web" moments each year, so I recommend you avail yourself of it as soon as you can.

Enlarge

Microsoft cloud services are scanning for malware by peeking inside users’ zip files, even when they’re protected by a password, several users reported on Mastodon on Monday.

Compressing file contents into archived zip files has long been a tactic threat actors use to conceal malware spreading through email or downloads. Eventually, some threat actors adapted by protecting their malicious zip files with a password the end user must type when converting the file back to its original form. Microsoft is one-upping this move by attempting to bypass password protection in zip files and, when successful, scanning them for malicious code.

While analysis of password-protected in Microsoft cloud environments is well-known to some people, it came as a surprise to Andrew Brandt. The security researcher has long archived malware inside password-protected zip files before exchanging them with other researchers through SharePoint. On Monday, he took to Mastodon to report that the Microsoft collaboration tool had recently flagged a zip file, which had been protected with the password “infected.”

Enlarge (credit: Aurich Lawson | Getty Images)

My recent feature on passkeys attracted significant interest, and a number of the 1,100+ comments raised questions about how the passkey system actually works and if it can be trusted. In response, I've put together this list of frequently asked questions to dispel a few myths and shed some light on what we know—and don't know—about passkeys.

Q: I don’t trust Google. Why should I use passkeys?

A: If you don’t use Google, then Google passkeys aren’t for you. If you don’t use Apple or Microsoft products, the situation is similar. The original article was aimed at the hundreds of millions of people who do use these major platforms (even if grudgingly).

Enlarge (credit: Aurich Lawson | Getty Images)

By now, you’ve likely heard that passwordless Google accounts have finally arrived . The replacement for passwords is known as "passkeys."

There are many misconceptions about passkeys, both in terms of their usability and the security and privacy benefits they offer compared with current authentication methods. That’s not surprising, given that passwords have been in use for the past 60 years, and passkeys are so new. The long and short of it is that with a few minutes of training, passkeys are easier to use than passwords, and in a matter of months—once a dozen or so industry partners finish rolling out the remaining pieces—using passkeys will be easier still. Passkeys are also vastly more secure and privacy-preserving than passwords, for reasons I'll explain later.

This article provides a primer to get people started with Google's implementation of passkeys and explains the technical underpinnings that make them a much easier and more effective way to protect against account takeovers. A handful of smaller sites—specifically, PayPal, Instacart, Best Buy, Kayak, Robinhood, Shop Pay, and Cardpointers—have rolled out various options for logging in with passkeys, but those choices are more proofs of concept than working solutions. Google is the first major online service to make passkeys available, and its offering is refined and comprehensive enough that I’m recommending people turn them on today.