Notices by faebudo (faebudo@ioc.exchange)

@GossiTheDog I'vejust read that mail. Didn't we learn from Qualys a few days ago that CSAM is not a good acronym in cybersecurity?
Also according to Microsoft itself that role doesn't exist but a CSM does.

@GossiTheDog

Fiction: FIDO2/WebAuthn is secure because the private key is stored in a Secure Element and can never be exported or used against the users will.

Fact: Let's upload the private key to Google!

@ljrk @GossiTheDog This answer triggers me, did you forget a /s?

The private key stored with google (or any other such service) is encrypted with what? A private key stored on a Secure Element, never exportable or used against the users will?

Or with the users mother maiden name and the ability to read an SMS that was sent to the users mobile phone number?

@ljrk @GossiTheDog Ah yes, this is how FIDO2/WebAuthn normally works.

But what I wrote about is WebAuthn with your Android Phone/iPhone where the sk and k_sk are backupped to your Google/iCloud account as a method to share it between devices using the same account.

The discoverable credentials are called passkeys and there are device-bound passkeys and synced passkeys. What I'm talking about are synced passkeys.

All the big platforms are selling synced passkeys as phishing proof and secure. But the basic promise that the private key cannot be stolen (except physical) has been violated by exporting it somewhere where it can be stolen.

@dmaonR @GossiTheDog I agree. it's also not indexed and you can't google for it. Also I have to assume it's only there for ISO 27001 compliance and not because they use it, when even their support staff doesn't know about their policies and processes concerning security.

@GossiTheDog It's in their responsible disclosure policy pdf: securityandvulnerabilities@delinea.com
here: https://trust.delinea.com/?itemUid=56583ca0-6561-4cf3-a150-8c0c45d214cf