U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Shard discovers shared passwords between most popular web services

Shard is a free tool that could be used by hackers to discover shared passwords between most popular web services, including Facebook, LinkedIn, Reddit, Twitter, or Instagram. In the past months, we have read about numerous data breaches, LinkedIn, MySpace, VerticalScope are just a few examples of illustrious victims. Hundreds of thousands of millions of credentials have flooded the […]

Strong Authentication

Shard is a free tool that could be used by hackers to discover shared passwords between most popular web services, including Facebook, LinkedIn, Reddit, Twitter, or Instagram.

In the past months, we have read about numerous data breaches, LinkedIn, MySpace, VerticalScope are just a few examples of illustrious victims.

Hundreds of thousands of millions of credentials have flooded the criminal underground, a precious commodity for hackers that could try to exploit them to hack into users’ account when the owner share the same username and password.

Of course, the activity is time-consuming, hackers need to test login credentials included in a data dump against various services available online.

Now this activity can be sped up by using Shard, a command-line tool that was developed to allow users to test if a password they use for one site is also used on other popular services, including Facebook, LinkedIn, Reddit, Twitter, or Instagram.

Below the list of available modules:

$ java -jar shard-1.3.jar -l
Available modules:
        Facebook
        LinkedIn
        Reddit
        Twitter
        Instagram
        GitHub
        BitBucket
        Kijiji
        DigitalOcean
        Vimeo

The Shard receives a username and password as input then it will attempt to authenticate with multiple sites.

“I used that password as a general password for many services,” he wrote in an e-mail. “It was a pain to remember which sites it was shared and to change them all. I use a password manager now.” Philip O’Keefe, Shard creators, told to Arstechnica.

Mozilla password disclosed

Obviously, a similar application is a powerful tool in the hackers’ hands. The code of the Shard tool is available on GitHub, it is likely crooks will adapt it to make it works with other services, including financial ones.

We know that the password reuse is a very common bad habit, in the best case users apply simple modifications to a base password to reuse it on several web services. A few modification to the code could allow the Shard to hack the account also in this last scenario.

Let’s think for example to the use of “mypassoword01” on a website and “mypassoword02” on a second website, in this case, a modified version of the tool could easily guess the login credentials.

Potentially the unique limitation of the tool is the number of attempts from a single IP, a limitation that could be easily bypassed if the attacker leverages on a botnet.

Users must adopt different credential for each web service, adopt strong passwords and enable two-factor authentication when available.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –Shard, passwords)