Security Alerts & News
by Tymoteusz A. Góral

History
#1669 Outlook web access two-factor authentication bypass exists
Enterprises running Exchange Server have been operating under a false sense of security with regard to two-factor authentication implementations on Outlook Web Access (OWA) adding an extra layer of protection.

A design weakness has been exposed that can allow an attacker to easily bypass 2FA and access an organization’s email inboxes, calendars, contacts and more.

The problem lies in the fact that Exchange Server also exposes the Exchange Web Services (EWS) interface alongside OWA and it is not covered by two-factor authentication. EWS is enabled by default and shares the same port and server as OWA, meaning an attacker with [stolen] credentials can remotely access EWS, which talks to the same backend infrastructure as OWA, and would enable access a user’s inbox.
Read more
#1673 Wix.com security flaw places millions of websites at risk
#1672 Teen pleads guilty to creating DDoS tool used in 1.7 million attacks
#1671 Mirai botnet attackers are trying to knock an entire country offline
#1670 Cisco patches critical bugs in 900 series routers, prime home server
#1669 Outlook web access two-factor authentication bypass exists
#1668 GitLab patches command execution vulnerability
#1667 Cisco job applicants warned of potential mobile site data leak
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12