Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft fixes Windows Hello authentication bypass vulnerability

Microsoft fixes Windows Hello authentication bypass vulnerability

Microsoft has addressed a security feature bypass vulnerability in the Windows Hello authentication biometrics-based tech, letting threat actors spoof a target’s identity and trick the face recognition mechanism into giving them access to the system.

According to Microsft, the number of Windows 10 customers using Windows Hello to sign in to their devices instead of a password grew from 69.4% to 84.7% during 2019.

Exploitation requires physical access

As discovered by CyberArk Labs security researchers, attackers can create custom USB devices that Windows Hello will work with to completely circumvent Windows Hello’s facial recognition mechanism using a single valid IR (infrared) frame of the target.

Also Read: How to Choose a Penetration Testing Vendor

Tsarfati reported the Windows Hello vulnerability tracked as CVE-2021-34466 and rated as Important severity to Microsoft in March.

Based on Microsoft’s assessment of the security vulnerability, unauthenticated adversaries require physical access to the target’s device to exploit it in high complexity attacks.

“The vulnerability allows an attacker with physical access to the device to manipulate the authentication process by capturing or recreating a photo of the target’s face and subsequently plugging in a custom-made USB device to inject the spoofed images to the authenticating host,” security researcher Omer Tsarfati explained.

“We have no evidence that this attack has been used in the wild, but it could be used by a motivated attacker to target a researcher, scientist, journalist, activist or privileged user with sensitive IP on their device, for example.”

Windows Hello Bypass Attack
Image: CyberArk Labs

Some Windows Hello users protected from attacks

Microsoft has released Windows 10 security updates to address the CVE-2021-34466 Windows Hello Security Feature Bypass Vulnerability as part of the July 2021 Patch Tuesday.

According to Redmond, Windows Hello customers with biometric sensor hardware and drivers with support for Enhanced Sign-in Security are not exposed to attacks abusing this security flaw.

“Customers with Windows Hello Enhanced Sign-in Security are protected against such attacks which tamper with the biometrics pipeline,” Microsoft said in a statement.

“Enhanced Sign-in Security is a new security feature in Windows which requires specialized hardware, drivers, and firmware that are pre-installed on the system by device manufacturers in the factory.”

“Please contact your device manufacturers for the state of Enhanced Sign-in Security on your device,” the company added.

CyberArk Labs concluded their report on the CVE-2021-34466 vulnerability saying that, although Enhanced Sign-in Security with compatible hardware restricts the attack surface, this highly depends on what cameras the targets are using.

The CyberArk Labs researchers will present their findings at Black Hat 2021 on August 4-5, 2021. 

Further technical information on how the researchers bypassed Windows Hello’s authentication mechanism can be found in CyberArk Labs’ report.

Also Read: 5 Most Frequently Asked Questions About Ransomware




Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us