Dashlane explains how attackers managed to download encrypted password vaults
Ars Technica1040 字 (约 5 分钟)
82
Attackers exploited Dashlane's device enrollment API via 2FA spraying to download fewer than 20 encrypted vaults before automated lockouts. By distributing requests across thousands of accounts, they increased 6-digit OTP guess probability from 1/1M to 1/1K while evading rate limits, though Argon2 hashing still protects vault contents.
入选理由:攻击者滥用设备注册API进行2FA喷射,成功生成有效令牌并下载了少于20个用户的加密密码库。
FeaturedArticle#Dashlane#2FA Spraying#Argon2#Password Manager Security#API Abuse英文