Last week, it was announced that DailyMotion, one of the bigger video-sharing platforms was compromised, and lost information on about 85 million accounts. Of these accounts, about 20% had password information associated with it, which was fortunately stored with the secure BCrypt function.
Right after the release of the previous digest, stories started appearing of ISP routers getting compromised by botnet software. A modified version of the Mirai worm succeeded in compromising nearly a million routers in Germany, and the attack hit the UK as well. The culprit? The wide open management interface running on port 7547 that could easily be used to take control of the device.
Last week, a reader sent me an interesting article about changes when using OAuth 2.0 with Google in embedded browsing contexts. Many applications use their embedded browsing contexts to run their own authentication flow against identity providers such as Google, which neutralizes with the single sign-on advantage. Instead, Google will require the use of a centralized OAuth library, such as Google Sign-in or AppAuth.
And as usual, we end this edition with some positive news, as a few more steps towards an encrypted web have been taken. Two weeks ago, The Guardian released a report about how they made the move towards HTTPS. The essence of that story is twofold: gradually upgrade parts of your site to HTTPS, and use Content Security Policy to detect mixed content. A few days later, Sourceforge announced HTTPS support for all their projects as well, albeit only if you enable the option in the management interface.
As the year is coming to an end, so are the scheduled events for 2016. However, next year, there will be plenty of talks you can attend:
- On February 23rd, I’ll be speaking about Frontend Security at the JSBE meetup (23/02/2017)
- In March, I will be participating in the first Devoxx US, where I will talk about Spring Security Headers
As usual, you can find the full list of events on my speaking page.