Issue 53

MacOS bug lets you bypass password pop-up with 'root' and an empty password

In case you somehow missed this, yes, it's as insane as it sounds. Fortunately, Apple has released an update. If you're on High Sierra, install it asap.


Imgur 2014 breach of 1.7 million e-mails and passwords

They found out just now through security researcher Troy Hunt, who received the data dump. He says he's impressed with how Imgur is handling this.
The leaked passwords are hashed with SHA-256, which isn't great (although they upgraded to bcrypt since then). No other personal information was included because Imgur never asked for that. Imgur's announcement can be read here


Leaky s3 bucket with military data (again)

Sigh. This particular lootbox holds about 100GB of data marked 'Top Secret' with regards to a military cloud initiative called Red Disk, a virtual drive, some private keys, and hashed passwords.


Researcher finds way to delete any image on Facebook

When creating a poll, adding an image and then deleting the poll, the image was also removed. After disclosing the researcher received a $10,000 bug bounty.


Two critical exploits in Exim mail transfer agent

Nothing most of us mortals have to worry about directly. But it does affect half of the globe's e-mail servers. So if you run an Exim mail server, better patch up.


FBI identifies and charges HBO hacker

We don't know how he was identified, but the FBI seems pretty sure, having added the Iranian man to its Most Wanted list. However, considering he lives in Iran, there's no real chance of getting him in front of a US court any time soon.


US indicts three Chinese nationals for alleged cyberattacks

The three people are part of a security firm believed to have strong ties with the Chinese government. They broke in to Siemens, Moody's and Trimble. Due to the nature of geopolitics however, there's not a lot that happens now. Presumably it's mostly a warning of sorts.


Bitsquatting NPM packages

Fascinating post on bitsquatting, a technique where domains with only one bit different are registered, counting on the fact that computers will randomly flip a bit sometimes. In the case of NPM packages, this happens an estimated 500 times per day. One package was found that might have counted on this, installing a Coinhive miner instance.


Golden SAML: newly discovered attack technique forges authentication to cloud apps

This is a very technical one, but my attempt to a TL;DR: if an attacker has access to an Active Directory Federation Services account, they can elevate themselves to get SSO access on any cloud application in its federation. There is no fix, one can only monitor and try to rotate keys often. If you rely heavily on SAML, check it out.


5-year-old boy hacks dad's Xbox account

It doesn't always have to be serious. This five-year old figured out that he could log into his dad's account by spamming spacebar in the password screen (hey kinda like Apple). He got a "bug bounty" from Microsoft of $50, four games and a year's subscription to XBoX live :)


This newsletter is one year old \o/

Well, it will be Saturday. The first issue of this newsletter was published on December 2nd, 2016. Over the first year we've gained just under 1600 subscribers, and had only about 40 people unsubscribe. Which makes me quite happy :-) Thanks everyone!

Dieter Van der Stock



Discover security flaws in your website before attackers exploit them

Attackers only need to find and exploit one vulnerability in your web application to create havoc.