When users sign into Cloutility, the application provides authentication based on either username and password or "single sign-on" (SSO) via SAML 2.0 - both with additional (optional or required) two-factor-authentication (2FA) through “time-based one-time passwords” (TOTPs) provided by authenticator apps. This is all good, but in the world we live in, merely authenticating a user during sign-in isn’t enough.

In March 2023 three YouTube-channels associated with Linus Media Group (LMG) were compromised by hackers stealing browser session-cookies from machines logged into the channels, and thereby gaining access to active browser sessions from other machines without requiring re-authentication. The founder of LMG, Linus Sebastian, was kind enough to release a video detailing the experience along with the conditions enabling and leading to the security breach. We found the video both informative and inspiring, and as a direct consequence of this we have now expanded Cloutility’s user authentication process and subsequent API-request handling accordingly.

In short, Cloutility (build 4436 and above) will now detect when an access-token (or refresh-token) is used from another location than to which it was issued, and prompt the user to re-authenticate using their latest used authentication method.

KEEP CLOUTILITY UPDATED
We always advise our users to regularly update Cloutility to the latest (and greatest, hopefully) release in order to have access to the latest features - including security features like the one mentioned above.