WhiteHat NG is Nigeria's leading CERT-style Information Sharing and Analysis Center (ISAC). Founded in 2019, it serves as a people's Computer Emergency Response Team, providing cybersecurity advisories, vulnerability disclosure services, and threat intelligence to protect Nigerian cyberspace. WhiteHat NG publishes security advisories about vulnerabilities and threats affecting Nigerian organizations and citizens.

How do I report a security vulnerability to WhiteHat NG?

You can report security vulnerabilities through WhiteHat NG's Vulnerability Disclosure Program (VDP) at whitehat.ng/vdp/report. The platform accepts reports about vulnerabilities in Nigerian digital infrastructure, government systems, and private sector applications. All reports are handled confidentially by trained security professionals who coordinate responsible disclosure with affected organizations.

What types of security advisories does WhiteHat NG publish?

WhiteHat NG publishes four severity levels of security advisories: Critical (immediate action required), High (significant risk), Medium (moderate risk), and Low (minimal risk). Advisories cover topics including software vulnerabilities, malware campaigns, phishing attacks, data breaches, and emerging cyber threats affecting Nigeria. All advisories are available via web and RSS feed at whitehat.ng/advisories.

Is WhiteHat NG affiliated with the Nigerian government?

WhiteHat NG operates as an independent, community-driven cybersecurity organization. While it collaborates with government agencies and private sector partners on security matters, it maintains independence to serve as a trusted neutral party for vulnerability disclosure and security coordination. This independence allows WhiteHat NG to advocate for both security researchers and affected organizations.

How can organizations partner with WhiteHat NG?

Organizations can partner with WhiteHat NG through several programs: becoming an information sharing partner for threat intelligence, participating in the Vulnerability Disclosure Program as a receiving organization, sponsoring cybersecurity awareness initiatives, or contributing to advisory development. Contact partnerships@whitehat.ng or visit the About page for more information on collaboration opportunities.

Device Code Phishing

Device code phishing is a sophisticated social engineering attack that exploits a legitimate authentication feature to trick users into granting attackers persistent, unauthorized access to their accounts, often bypassing multi-factor authentication (MFA). It is particularly dangerous because the victim interacts with a legitimate login page.

How It Works

The attack flow subverts the standard "device code" authentication process, which is designed for input-limited devices like smart TVs or gaming consoles.

Initiation: The attacker first initiates a legitimate login request on a service (e.g., Microsoft 365, GitHub) using an attacker-controlled application, which generates a unique, short-lived device code.
Social Engineering: The attacker sends a phishing message (email, text, or chat via platforms like Teams, WhatsApp, or Signal) to the victim. The message, often an urgent lure such as a fake meeting invite or document share, includes the generated device code and a link to the official, legitimate login verification URL (e.g., microsoft.com/devicelogin).
Victim Action: The victim, believing the request is genuine and seeing a familiar, trusted URL, navigates to the link and enters the provided code. They then proceed to authenticate with their own credentials and complete their legitimate MFA process.
Unauthorized Access: Once the victim enters the code and authenticates, the service links their account to the attacker's device/application and provides the attacker with valid access and refresh tokens. These tokens grant the attacker persistent access to the victim's data and services (email, files, etc.) without needing the password or further MFA, as long as the tokens remain valid.

Why It Is Effective

Legitimate Infrastructure: The victim uses the actual service's URL, defeating traditional security awareness training about checking for fake domains.
Bypasses MFA: The attack captures post-authentication tokens, effectively bypassing MFA and conditional access policies that might block the attacker's initial login attempts.
Stealthy and Persistent: Attackers gain long-term, stealthy access and can move laterally within a network.
User Trust: The process relies on user trust in familiar authentication prompts, even when the context is unusual.

Protection and Mitigation

Individuals and organizations can take several steps to protect against device code phishing:

User Education: Train users to be aware of unexpected requests for device codes. Emphasize that users should only enter a device code if they initiated the login process themselves on a separate device.
Conditional Access Policies: Administrators can restrict or block the device code authentication flow in their identity provider settings (e.g., Microsoft Entra admin center) if it's not required for business operations.
Risk-Based Authentication: Implement policies that flag or block sign-in attempts based on risk levels, such as sign-ins from unexpected locations or devices.
Phishing-Resistant MFA: Leverage more robust authentication methods, such as FIDO2 hardware tokens or the Microsoft Authenticator app with passkey, which are less susceptible to this type of token abuse.
Monitoring: Monitor authentication logs for anomalous behaviors, such as multiple device code sign-ins from different IP addresses in a short timeframe, and have a plan to revoke compromised user refresh tokens immediately if a breach is suspected.