防止密码泄露和Cookie劫持的主动措施

At Slack, we’re committed to security that goes beyond the ordinary. We continuously strive to earn and maintain user trust by safeguarding critical components integral to every user’s experience. From passwords to session cookies, and tokens to webhooks, we prioritize protecting everything essential to how users log into the platform and remain authenticated. Through proactive measures and innovative automations that leverage cutting-edge threat intelligence, we’re dedicated to shielding users from potential breaches, cookie hijacking malware, and inadvertent exposure of sensitive information and secrets.

在Slack,我们致力于超越寻常的安全。我们不断努力通过保护每个用户体验中不可或缺的关键组件来赢得和保持用户的信任。从密码到会话cookie,从令牌到Webhook,我们优先保护用户登录平台和保持身份验证所需的一切。通过积极主动的措施和利用尖端威胁情报的创新自动化,我们致力于保护用户免受潜在的入侵、Cookie劫持恶意软件和敏感信息和机密的意外曝光。

Secrets should remain secret

秘密应该保持秘密

Slack’s strategy has always been to anticipate and mitigate threats before they can impact our users. Since 20161, we have been continuously scanning the internet using regular expressions2 tailored to the specifics of our tokens and webhooks to find any that are publicly accessible. Oftentimes these secrets get inadvertently exposed when they get hard-coded into development code and then published somewhere like GitHub. Since these secrets provide varying levels of access to a user’s workspace, our tooling automatically and immediately invalidates tokens and webhooks upon discovery and notifies their respective owners.

Slack的策略一直是在威胁影响用户之前预测和减轻威胁。自2016年以来,我们一直在使用针对我们的令牌和Webhooks的特定正则表达式定期扫描互联网,以查找任何公开可访问的令牌和Webhooks。通常情况下,这些秘密会在它们被硬编码到开发代码中,然后发布到GitHub等地方时无意中暴露出来。由于这些秘密提供了不同级别的对用户工作区的访问权限,我们的工具会在发现后自动立即使令牌和Webhooks失效,并通知其各自的所有者。

Following this, we aimed to extend the same level of protection and automation to Slack passwords and session cookies. Password reuse across multiple platforms poses a significant risk to user security. A 2023 study on account takeovers found that 70% of victims reported that they reused the same password across multiple sites and services, leading to 53% of them having had ...

开通本站会员,查看完整译文。

ホーム - Wiki
Copyright © 2011-2024 iteam. Current version is 2.139.0. UTC+08:00, 2024-12-28 10:11
浙ICP备14020137号-1 $お客様$