Ask HN: Dangers of Unsecured WiFi?
Connected to an unsecured WIFi network last week from my MacBook. When I restarted I couldn’t login and had to go through safe/recovery mode and use reset password utility from the terminal to get back in (thankfully I could log in to my Apple ID.
Now I’m not able to login to my Firebase console even from another laptop.
What’s going on here?
There is a CVE issued a week ago for all Apple OSs that are not on the latest update (Mac iOS, etc). Maybe you were affected.
https://www.cisa.gov/news-events/alerts/2024/09/18/apple-rel...
Thank you! Yes I’m still 2 OS versions back.
unless you accepted an invalid https certified popup, its not possible, even on public wifi. or maybe you still type: http:// instead of https://, and then is easy to fake a dns response to point to a clone site
Ironically because MITM attacks for corporate security are that common, a lot of developer tools are configured to just ignore TLS checks instead of importing the correct root certificate.
In case of an unsecured WiFi connection this is of course much more dangerous even.
Wow! Didn’t know this!
I would’ve thought they would let devs handle it because if anything they’re more capable of these kinds of things (not counting myself ofc :-))
I think developers are especially at risk, because we all think we know the risks and can manage them better... yeah, right lol.
It's like how doctors and nurses are notoriously bad at getting their own health checkups. They're experts, they know better!
Pfft. How many of us actually spend time (and have the knowledge for) auditing the security of our OS, cert chains, HTTPS setup, etc.? I've seen experienced senior devs share private keys over Slack for the whole team to reuse, manually disable HTTPS checks with a comment like "too much trouble", etc. It's pretty scary.
That does sound very familiar!
Thanks, that makes me feel a little better because I did use the https bookmark I had and didn’t type in the addr.
Have you confirmed you are locked out of Firebase? Performed a password reset?
If you get to login, check your compute resources since most of these bots just deploy tons of compute and use them for DDOS. This can be in the hundreds of dollars per hour figure.
It is possible to have your session hijacked when using any wifi really, its a lot harder on secured wifi though.
I only tether to my phone now in public, and never use unsecured wifi for anything.
Didn’t try the password reset until you mentioned. Thanks, that worked.
Google did send me two Security alerts (one for each laptop) when I tried signing in yesterday with my old pwd. So they must have reset my password or something?
In any case, lesson learned: never connect to an unsecured Wi-Fi again! (I rarely do, but I was at this conference last week trying to demo Appomate AI, and was wanting it to be as snappy as possible. Bad decision!)
I once connected to unsecured wifi and 2 minutes later started getting ungodly amounts of spam, just spam everywhere filling up my inbox etc.
I started panicking, going over to people around me asking if they've ever experienced such a thing. All I got was a bunch of "huh? no never"s.
I found out a couple hours later that by pure coincidence my friend pranked me right then by signing my email address up for all the spam newsletters etc. he could find....
Hehe….life would be so boring without coincidences!
But I definitely panicked too and still a worried if I carried something over to my home network.
I’m a developer and at least superficially aware of the issues. Can’t imagine what non techies go through when faced with such situations!!
The London underground now provides mobile connectivity. I have a gut feeling that that is more secure, but probably costly and bureaucratic.
I hear you!
I really need to let go of these self-sabotage tendencies fast!!
[My works-on-my-machine]
By default, I tether my phone. In the places that's not possible, the public WiFi is typically part of large scale infrastructure like an airport.
The biggest practical advantage of tethering is not security. It's repeatability. Sure security matters and I trust my phone's security. But not having to navigate other people's ideas of internet access is why I tether.
Good luck.
Thanks, makes sense!