Security researcher BobDaHacker discovered multiple critical vulnerabilities in the Petlibro smart pet feeder system. The most severe is an **authentication bypass** allowing attackers to log in to *any* account using publicly available Google IDs. Petlibro acknowledged the issues and offered a $500 bounty, but has left the vulnerable login endpoint active for "legacy compatibility" over two months after initial reporting, despite promising a fix.
Other vulnerabilities included:
* Viewing details of any pet by ID.
* Obtaining serial numbers and MAC addresses.
* Manipulating feeding schedules, camera feeds, and settings without authentication.
* Retrieving mealtime messages recorded by owners.
* Gaining access to devices by adding oneself as a shared owner.
Other vulnerabilities included:
* Viewing details of any pet by ID.
* Obtaining serial numbers and MAC addresses.
* Manipulating feeding schedules, camera feeds, and settings without authentication.
* Retrieving mealtime messages recorded by owners.
* Gaining access to devices by adding oneself as a shared owner.
Details the restrictions when using a public MQTT broker with Meshtastic, focusing on TLS/SSL requirements, authentication, and potential issues with server reliability and rates.
This article details significant security vulnerabilities found in the Model Context Protocol (MCP) ecosystem, a standardized interface for AI agents. It outlines six critical attack vectors – OAuth vulnerabilities, command injection, unrestricted network access, file system exposure, tool poisoning, and secret exposure – and explains how Docker MCP Toolkit provides enterprise-grade protection against these threats.
OPKSSH (OpenPubkey SSH) allows authentication to servers over SSH using OpenID Connect (OIDC), replacing manually configured SSH keys with ephemeral keys for improved security, usability, and visibility. It's now open-source under the OpenPubkey project.
A vulnerability in Okta's AD/LDAP DelAuth was identified on October 30, 2024, allowing users to authenticate using only the username if it exceeds 52 characters and a cache key was previously generated. The issue was resolved the same day by switching cryptographic algorithm from bcrypt to PBKDF2.
Okta has confirmed a security vulnerability where usernames of 52 characters or more allowed account access without a password.
The FIDO Alliance's new Passkey standard aims to make password-less authentication a reality, but the real challenge lies in getting users to adopt the technology.
Aegis is a free, open source Android app that securely manages 2-step verification tokens. It supports HOTP and TOTP, is compatible with thousands of services, and offers features like screen capture prevention, biometric unlock, and automatic backups.
Learn about JSON Web Tokens (JWT) authentication, its working, components, benefits, and implementation with examples using Node.js and Express. This guide covers the process, key components, and security of JWT.
This blog post explains why JWTs (JSON Web Tokens) are not suitable for authorization despite their popularity in authentication scenarios. It discusses the proper use of JWTs for verification, the risks of misusing them for authorization, and alternative solutions.
