SECURITY: TPG modem admin bypass to enable DSL

February 12, 2018

Problem:

you have Huawei HG659 that came from TPG pre-configured, but it doesn’t work on ADSL. You set up bridge mode to 3rd party ADSL modem and still no success. Reason being – it’s preconfigured for VDSL and you cannot change it without root admin access. On top, TPG won’t give you the password for root.

Solution:

Forget about root admin read more …

Tags

CRYPTO: GDAX – CoinBase security flaw

January 23, 2018

Let’s assume you enabled 2FA on your GDAX/Coinbase account. Currently, you cannot withdraw funds from GDAX to outside address or bank account without two-factor authentication (2FA).

However, you can move the funds from GDAX to Coinbase account and from there you can then send them to outside address without 2FA! I consider this a security flaw and will demonstrate the issue in the example below.

If for example, you have a device (PC/MAC/Mobile, etc.) where you have activated “remember me for 30 days” feature to avoid providing 2FA everytime you log in, this device becomes a target for potential theft. Once someone will get an access to this device and steal your login credentials, they can then move the funds from GDAX to Coinbase and from there move it to an outside address to which you no longer have access. GDAX and Coinbase share the security settings (including login details), so attacker needs just your login details to access both platforms to action it.

Vulnerability above assumes that attacker will gain access to login credentials and to the device with active “remember me for 30 days”, so please make sure you have both secured very well if you happen to have this kind of set up.

@COINBASE: kindly fix it pls!

Tags