Latest news with #Request
Techday NZ
20-06-2025
- Techday NZ
Outpost24 identifies key OAuth risks & best practice solutions
An analysis by Outpost24 has examined seven of the most common vulnerabilities present in OAuth implementations and outlined recommended measures organisations can take to mitigate these risks. OAuth, short for Open Authorization, is a widely used industry protocol that allows users to grant access to their data on one site to another site, without sharing their credentials directly. This delegation of authority involves issuing tokens that provide time-limited and scoped permissions to client applications on behalf of users. Underlying complexity Although OAuth helps reduce direct exposure of user credentials and supports fine-grained access control, its broad flexibility also creates significant opportunities for errors during implementation. The protocol's reliance on strict validation of parameters, endpoints and tokens, as well as correct management of application state, means that mistakes or oversights can introduce vulnerabilities that attackers can exploit. Outpost24's analysis notes that OAuth is not inherently weak, but that its "power (delegated, token-based access) relies on numerous checks and balances. However, OAuth vulnerabilities often arise when developers or architects skip steps, like byte-for-byte URI validation, state verification, or signature checks on ID tokens. These oversights create exploitable gaps that attackers can target. So, OAuth itself isn't inherently 'weak'—but its flexibility and the proliferation of optional parameters and flows make it easy to misconfigure in ways that lead to real-world vulnerabilities." Common vulnerabilities The analysis identifies seven main areas where OAuth vulnerabilities commonly occur: 1. Open redirect and redirect URI manipulation: If the system does not strictly validate redirect URIs, attackers can manipulate authorisation flows to direct tokens or codes to endpoints they control, resulting in unauthorised access to user data. 2. Missing or weak Cross-Site Request Forgery (CSRF)/state protections: Failing to include a robust state parameter tied to each user's session enables attackers to trick users into completing authorisation requests that generate tokens for attacker-controlled clients. 3. Implicit flow and lack of Proof Key for Code Exchange (PKCE): The use of implicit flow, where access tokens are delivered directly via the browser, exposes tokens to interception. Without PKCE, even the more secure code flow can be susceptible if an attacker can access intermediate codes. 4. Inadequate scope validation and overly broad permissions: Applications may request excessive permissions, which can lead to abuse if an attacker acquires the access token. Users can be misled into granting high-privilege access. 5. Token leakage via insecure storage or transport: Storing tokens in browser storage areas accessible to client-side scripts, or transmitting them over insecure channels, can lead to theft through network compromise or browser vulnerabilities. 6. Missing or ineffective token revocation: Without appropriate means to revoke tokens, attackers or malicious clients may retain access indefinitely, even after a user believes they have rescinded authorisation. 7. Homegrown or outdated OAuth implementations: Custom or obsolete libraries may omit essential security checks, such as validating signature fields or all necessary request parameters, making exploitation feasible through replay or impersonation attacks. Mitigation strategies The analysis offers concrete recommendations to address each identified risk. For redirect URI threats, strict, exact matching of registered URIs is advised, along with enforcement of HTTPS. To defend against CSRF threats, the report urges clients to "generate a cryptographically random state value, store it in the user's session, and include it in the request. Strictly validate state on callback," and to make use of SameSite cookie attributes. The deprecation of the implicit flow and the universal adoption of PKCE are recommended for public clients. The analysis recommends the "use of authorization code flow + PKCE for all public clients", which helps bind token requests to verified identifiers, limiting misuse. Limiting scope requests to the minimal set required, alongside server-side validation of access scope, are key principles for scope management. Regarding token storage and transport, the advice is to "use secure, HttpOnly cookies for storing tokens" and to "enforce TLS everywhere… All endpoints (authorization, token, resource) must enforce HTTPS with strong ciphers." Short token lifetimes and refresh token rotation are also recommended to reduce the exposure following a token compromise. For revocation, the report recommends implementing dedicated endpoints that can invalidate access and refresh tokens in accordance with relevant standards, with continuous verification at the resource server layer to ensure revoked tokens remain unusable. On the issue of custom or outdated OAuth implementations, the recommendation is to "adopt well-maintained libraries and frameworks" and to "stay current with RFCs and security advisories," underscored by regular code reviews, threat modelling and attention to emerging IETF best practices. Operational recommendations To build a resilient OAuth deployment, enforce strict validation of redirect URIs, state parameters, and token signatures; adopt PKCE for all public clients; and adhere to least‐privilege scope requests. Ensure secure storage and transmission of tokens (favouring HttpOnly cookies over local storage) and implement token revocation with continuous introspection. Use community‐trusted OAuth libraries, keep up with evolving IETF/OAuth 2.1 guidelines, and maintain robust logging/monitoring to catch misuse quickly. Outpost24's analysis points out that by addressing these common misconfigurations and implementation issues, organisations "significantly reduce the risk of credential theft, unauthorised API access, and large-scale data breaches arising from flawed OAuth integrations."
Scoop
30-05-2025
- Health
- Scoop
Final Recipient Announced As Round Two Of Innovation Fund Opens
Minister for Mental Health The Minister for Mental Health Matt Doocey has announced round two of the Government's Mental Health and Addiction Community Sector Innovation Fund has opened today. 'The bottom line for this Government is to ensure we are delivering timely quality mental health and addiction support to those who are bravely reaching out for help in their greatest time of need,' Mr Doocey says. 'I am excited for community organisations across the country to have another opportunity to access funding. This time, there will be more smaller grassroots organisations that will be eligible to apply for funding due to the recently announced lowered matched funding limit required. 'It's also my pleasure to announce that Tend Health Ltd is the ninth and final recipient from the fund's first round to set up a new digital primary mental health and addiction service. 'The new service aims to make it easier for people to get primary mental health support, particularly those who are not enrolled in general practice or have difficulty accessing general practice. 'A multi-disciplinary mental health and addictions team will deliver support virtually and with extended operating hours, giving people more flexible access to help when they need it. 'Once fully operational, Tend's new service is expected to deliver more than 15,000 sessions to more than 5,000 people, which is another significant step towards the Government's commitment to strengthen people's access to mental health and addiction support. The initiative will receive $1.97 million of funding over two years from the Government which will be matched dollar-for-dollar by Tend to total just under $4 million. 'I am also proud that funding from round one has already enabled eight other organisations to start delivering new and expanded initiatives. They include MATES in Construction, the Mental Health Foundation, Youthline, Wellington City Mission, Rotorua Community Youth Centre Trust, the Sir John Kirwan Foundation, Women's Refuge, and Just a Thought. 'By supporting these initiatives, we're ensuring that people across New Zealand can access the support they need, while also working towards the Government's goal of growing the clinical workforce and reducing wait times for mental health and addiction services. 'I encourage all eligible providers to take up the opportunity to apply for funding and scale-up their work to benefit the many people in the communities they serve,' Mr Doocey says. Notes: The Request for Proposals for round two of the Mental Health and Addiction Community Sector Innovation Fund has been released on the Government Electronic Tenders Site (GETS) here. The match funding requirement for round one required $250,000 per application, round two requires $100,000 per application.
Indian Express
22-05-2025
- Indian Express
Free Aadhaar update ends June 14: Here's how to do it online
Last year, the Unique Identification Authority of India, also known as UIDAI, announced that Aadhaar cardholders will be able to update their information for free until June 14, 2025. According to the Aadhaar Enrolment and Update regulations, 2016, it is mandatory for individuals to update their proof of identity and proof of address every 10 years from their Aadhaar enrolment date. After the deadline, Aadhaar updates won't be free, and cardholders will have to mark their presence at physical Aadhaar centres to update their information. If you haven't updated your Aadhaar card details in the last decade, here's how to avoid the Rs 50 standard fee and do it for free via the myAadhaar portal. The process is pretty straightforward and lets you quickly update your information without having to go to a physical centre. How to update Aadhaar card details for free before June 14, 2025 1. Open your favourite browser and head over to ' 2. Now, click on the blue login button and enter your Aadhaar card number and the captcha to get a one-time password (OTP). 3. When you log in to the portal, see if your existing address and identity proof are up to date. If they aren't, click on the 'Document Update' option that appears on the top right of the page. 4. From the drop-down menu, choose the documents you want to update and upload the corresponding files. 5. Once done, review and submit your documents to get a Service Request Number (SRN), which helps track the update progress of your request. One thing to note here is that the website only supports JPEG, PNG and PDF files. Also, the size of these files should be less than 2MB in size. In case you want to update other information like photo and biometrics, the only way to do so is by visiting the nearest Aadhaar Enrolment Centre.
News18
19-05-2025
- Business
- News18
Protean eGov Shares Tank 20% To Hit Lower Circuit After Key Government Update
Last Updated: Protean eGov Technologies Ltd focuses on building digital public infrastructure and e-governance initiatives for various government bodies in India. Protean eGov Technologies Share Price: Protean eGov Technologies Ltd's shares tanked 20 per cent on Monday in the morning session to hit the lower circuit at Rs 1143.05 apiece. Trading in shares halted following the sharp drop after the IT-enabled company informed that it is 'not been considered favourably for the next round of RFP selection process," for a technology revamp project of PAN systems. The scrip opened at Rs 1119 per share, against the previous close at Rs 1428.80 apiece. What's The Development? Protean eGov Technologies Ltd explained in the filing that The Income Tax Department (ITD) has issued a Notice for Request for Proposals (RFP) inviting bids for selection of Managed Service Provider (MSP) for Design, Development, Implementation, Operations and Maintenance of its PAN 2.0 Project. 'The Company has participated in the RFP bid proposal for the aforesaid project," it added. The company said 'In our understanding this is a project for Technology revamp which include Design, Development, Implementation, Operations and Maintenance of PAN systems at ITD and at present, it appears to have limited or minimal impact on our ongoing PAN processing and issuance services under the existing mandate with the ITD." We were informed by the Income Tax Department (ITD) that we have not been considered favourably for the next round of RFP selection process, it added in the filing. Incorporated in 1996, Protean eGov Technologies Ltd focuses on building digital public infrastructure and e-governance initiatives for various government bodies in India. Protean eGov Technologies Ltd brought its IPO in November 2023 to raise about Rs 490.33 crore. First Published: May 19, 2025, 10:45 IST
TECHx
25-03-2025
- TECHx
Veeam Patches Critical Vulnerability in Service Provider Console
Veeam Patches Critical Vulnerability in Service Provider Console News Desk - Share Veeam Software has patched a critical security flaw in its Veeam Service Provider Console, a platform used by backup and disaster recovery service providers. The vulnerability, identified as CVE-2024-45206 (BDU:2024-1170), was discovered by Nikita Petrov, a Senior Penetration Testing Specialist at Positive Technologies' PT SWARM team. Following responsible disclosure, Veeam quickly released a security patch to address the issue. What Is the Vulnerability? The flaw is an SSRF (Server-Side Request Forgery) vulnerability, rated 6.5 on the CVSS 3.0 scale. It affected Veeam Service Provider Console versions 7.x through 8.0.x. If exploited, attackers could send arbitrary HTTP requests on behalf of the server. This could allow access to internal networks, exposing sensitive resources. Who Is at Risk? According to open-source data, as of January 2025, 2,587 systems worldwide remain vulnerable. The countries with the most exposed systems include: United States (26%) Türkiye (20%) Germany & Great Britain (6% each) Canada & France (5% each) The flaw mainly affects large enterprises, which are the primary users of Veeam Service Provider Console. Why Is This a Serious Threat? Nikita Petrov explained that attackers could use this vulnerability to interact with internal systems. This could reveal network infrastructure details and lead to further attacks. In 2022, Positive Technologies also discovered security flaws in Veeam Backup & Replication and Veeam Agent for Microsoft Windows. What Should Users Do? To protect against exploitation, Veeam recommends updating to version 8.1.0.21377 or later. Prompt action is essential to safeguard systems. Positive Technologies also suggests using advanced security tools like: Web Application Firewalls (WAF) – Such as PT Application Firewall, available both on-premises and in the cloud. Static Code Analysis – Tools like PT Application Inspector to detect vulnerabilities during development. Network Traffic Analysis (NTA) – Solutions like PT Network Attack Discovery (PT NAD) and PT NGFW with IPS modules to detect and block attacks. Why This Matters Veeam Software supports over 550,000 customers worldwide, including 74% of Forbes Global 2000 companies. The United States, Germany, and France lead in usage, while the UAE ranks 32nd. Veeam also holds the largest market share in data replication and protection. For eight consecutive years, it has been recognized in Gartner's Magic Quadrant for Enterprise Backup and Recovery Software Solutions. Take Action Now Organizations using Veeam Service Provider Console should update their software immediately. Implementing additional security measures is also crucial to prevent future threats.
