Many webapps are installed in an unconfigured state, and you visit the app through the browser to set an admin password. This was always a race against attackers, but in the past you'd usually win. Thanks to CT, attackers learn about and probe new hostnames within minutes. (2/4)
-
-
Show this thread
-
Unless you visit the app to configure it right away, attackers will find it, take it over, and use it for malware, phishing, spam, etc. (3/4)
Show this thread -
If you're designing a webapp, have the initial admin password be configured out-of-band rather than through the browser. If you know of a webapp that sets the initial admin password through the browser, file a bug, citing the CT Honeypot research. (4/4)
Show this thread
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.