accounts Archives

Winsage

April 25, 2026

New Windows RPC Vulnerability Lets Attackers Escalate Privileges Across All Windows Versions

PhantomRPC is a significant architectural vulnerability in the Windows Remote Procedure Call (RPC) framework that allows local privilege escalation to SYSTEM-level access across all Windows versions. Discovered by Kaspersky's Haidar Kabibo at Black Hat Asia 2026, this vulnerability stems from the RPC runtime's failure to verify the legitimacy of a responding server during calls to offline or disabled servers. Attackers can exploit this by setting up a malicious RPC server that impersonates a legitimate endpoint, using the RpcImpersonateClient API to escalate privileges from low-privileged accounts to SYSTEM or Administrator levels. Five distinct exploitation paths have been identified: 1. gpupdate.exe coercion: An attacker can intercept an RPC call made by the Group Policy Client service when executing gpupdate /force, granting SYSTEM-level access if TermService is disabled. 2. Microsoft Edge startup: Launching msedge.exe triggers an RPC call to TermService, allowing privilege escalation from Network Service to Administrator via a spoofed endpoint. 3. WDI background service: The Diagnostic System Host polls TermService regularly, enabling an attacker to exploit this without user interaction. 4. ipconfig.exe and DHCP Client: Running ipconfig.exe initiates an RPC call to the DHCP Client service, allowing a Local Service attacker to elevate privileges if DHCP is disabled and a fake server is present. 5. w32tm.exe and Windows Time: An attacker can expose a named pipe endpoint, allowing them to impersonate any privileged user executing the Windows Time executable. The vulnerability was reported to Microsoft on September 19, 2025, but Microsoft categorized it as moderate severity and closed the case without a patch, as the attack requires SeImpersonatePrivilege, which is granted by default to certain accounts. Organizations are advised to implement defensive measures such as enabling RPC monitoring, ensuring legitimate services are running, and restricting SeImpersonatePrivilege. Kaspersky has provided tools for auditing environments for exploitable RPC call patterns through the PhantomRPC GitHub repository.

AppWizard

April 25, 2026

Widespread controversy surrounds “Messenger”… What is the truth behind the suspension and what will happen to your messages?

Reports from Washington, DC, have raised concerns among Messenger app users regarding the future of the app and user data. Clarifications indicate that there is no complete shutdown planned for the app, but potential updates or modifications to services and features may occur. The parent company routinely implements updates, which may include removing outdated features or integrating services into other applications. User conversations are not being abruptly deleted; they remain securely stored in line with the company's storage policies, and users can access their data as long as their accounts are active. Experts advise users to stay informed through official updates and to be cautious of rumors on social media regarding privacy and data security.

Winsage

April 24, 2026

Microsoft to roll out Entra passkeys on Windows in late April

Microsoft will introduce passkey support for phishing-resistant passwordless authentication on Microsoft Entra-protected resources starting in late April, with broader availability expected by mid-June 2026. This feature will allow passwordless sign-in on unmanaged Windows devices and will support various device types, including corporate, personal, and shared options. Administrators can manage passkeys through Conditional Access and Authentication Methods policies. Users can create device-bound passkeys stored securely within the Windows Hello container, using methods like facial recognition, fingerprint scanning, or a PIN. The passkeys will adhere to FIDO2 standards and will be securely bound to individual devices, preventing transmission over the network to enhance security against phishing and malware attacks. Microsoft has also announced plans for mandatory multifactor authentication registration for Entra tenants by October 2024 and that all new accounts will be passwordless by default starting in May 2025.

AppWizard

April 24, 2026

Google Adds Verified Email Feature to Simplify Android App Logins

Google has introduced a verified email feature for Android applications, accessible through the Credential Manager API. This feature allows apps to retrieve a user's verified email directly from their device, improving the login and account creation processes by eliminating the need for one-time passwords (OTPs) and email verification links. Users receive a system-level prompt to share their verified email with a simple tap, enhancing the user experience by reducing interruptions. The feature also benefits developers by simplifying verification systems and potentially decreasing user drop-off rates during registration. Currently, it supports Google accounts, with plans to include other identity providers in the future. Google advises developers to continue using traditional verification methods for non-Google accounts to ensure compatibility.

AppWizard

April 24, 2026

Google rolls out verified email feature for Android apps, removing need for OTPs

Google has introduced a verified email feature for Android applications via its Credential Manager API, allowing users to access their verified email addresses directly from their devices without traditional verification steps like OTPs or email links. Users receive a system-level prompt to share their verified email with a single tap, improving the user experience by eliminating the need to switch between apps. This feature simplifies the onboarding process for developers, reducing user drop-offs during registration and potentially improving conversion rates. Currently, it supports consumer Google Accounts, with plans for broader adoption pending support from other credential issuers. The system is intended for various use cases, including account creation, re-authentication, and recovery, while maintaining existing verification methods for non-Google accounts. This initiative is part of Google's effort to enhance authentication integration into the operating system and reduce reliance on passwords and multi-step verification.

AppWizard

April 24, 2026

Google Verified Email delivers powerful boost to Android app signups

Google Verified Email is a feature that streamlines the email confirmation process on Android devices by eliminating the need for one-time passwords (OTPs) or link tapping. It uses Android’s Credential Manager to store a cryptographically verified email credential on the device. When a user interacts with an email field or a sign-up button, a prompt requests permission to share the verified email with the app, allowing for instant confirmation without leaving the screen. This feature currently supports consumer Google Accounts on devices running Android 9 or later with updated Google Play services. Apps cannot access user information without explicit consent, and the feature can also be used for account recovery and profile modifications. Developers can use the Credential Manager API, which is issuer-agnostic, but Google’s credential specifically verifies only the email address. Despite its benefits, Google recommends maintaining backup options like manual email entry or traditional OTPs for situations where no suitable credential is available.

AppWizard

April 23, 2026

Australian Government Demands to Know What Roblox, Minecraft, Fortnite, and Steam are Doing to Prevent Grooming, Radicalisation

The Australian Government's eSafety office has requested major gaming platforms, including Roblox, Microsoft, Epic, and Valve, to provide details on their measures to prevent child grooming and extremist content. The eSafety office has issued legally enforceable transparency notices due to concerns that platforms like Roblox, Minecraft, Fortnite, and Steam may be exploited by predators and extremist groups. Approximately 90% of children aged 8 to 17 in Australia engage with online games, highlighting the need for protective measures. Reports indicate that these platforms have been associated with grooming incidents and extremist themes, including games inspired by the Islamic State and depictions of mass shootings. Non-compliance with the transparency notice could result in penalties of AUD5,000 per day. In response, Roblox has committed to safety initiatives, including AI technology to review content and plans for age-based accounts to enhance user safety.

Tech Optimizer

April 23, 2026

The antivirus feature I skip on every SSD-powered PC

File shredders may not effectively erase data on solid-state drives (SSDs) due to the way SSDs distribute data, which can lead to deleted files remaining retrievable. Additionally, using file shredders can reduce the lifespan of SSDs because of their limited write cycles. Instead of file shredders, drive encryption is recommended for protecting sensitive data on SSDs, as it ensures that deleted data remains unreadable. Windows 11 offers integrated drive encryption for users with a Microsoft account, and tools like VeraCrypt or Cryptomator can create encrypted folders for managing sensitive documents. It's important to safeguard access to encrypted data by backing up decryption passwords or recovery keys.

Winsage

April 23, 2026

Engineering secure passkey sync in Microsoft Password Manager

Passkeys are a new form of authentication that replace traditional passwords, providing a phishing-resistant and streamlined sign-in process. Microsoft Password Manager allows users to save and synchronize passkeys across devices linked to their Microsoft accounts, enhancing accessibility. The architecture for passkey syncing includes confidential computing for sensitive operations, hardware-rooted key protection for encryption keys, tamper-evident recovery storage, and encrypted synchronization across devices. Sensitive passkey operations are executed in Azure's confidential computing environments, ensuring cryptographic materials are processed securely. The encryption keys are protected using Azure Managed HSM, with access governed by attestation-based mechanisms. Registration and recovery processes require user authentication and enforce security measures within confidential computing boundaries, including a lockout state after consecutive incorrect PIN attempts. The system aims to provide a secure and user-friendly experience as part of a transition to a passwordless future.

AppWizard

April 23, 2026

Goodbye, OTPs and magic links: Signing up for new Android apps just got a lot easier

Google has introduced a Verified Email feature for Android applications that simplifies the sign-up process by eliminating the need for magic links and one-time PINs (OTPs). This feature allows users to register for apps using a "cryptographically verified email credential" sourced from their Google account, which is securely stored on their device. It enhances security by enabling app developers to prompt users to create a passkey during registration. The Verified Email feature can also be used for account recovery and re-authentication for sensitive actions. However, it is currently limited to consumer Gmail accounts, and users with Workspace or managed accounts must still use traditional verification methods. Additionally, Google accounts created with non-Google email addresses may require extra verification steps from app developers. The feature is accessible on devices running Android 9 or newer and Google Play Services version 25.49.xx or later.