Issue 57


Flaw found in LastPass’ Authenticator app

This blogpost details a flaw in Lastpass' Google auth-like app (not their main vault application). They took over 6 months to fix it. In a blogpostLastpass says that's because this app isn't part of the standard bug bounty program, which means no process was available for vulnerability reports. Way to go guys. related RootsWeb service exposed user data

It was found that 300,000 passwords, email addresses and usernames were leaked. They've taken the site offline for now until they can fix it.


Flaws found in Sonos and Bose smart speakers

The speakers expose their status and configuration pages to the outside world, meaning someone on your Wifi or online (if you expose your speaker to the Internet for some weird reason) could use it for reconnaissance. Or pranks apparently, by playing ghost noises for example ^^


Snowden-backed app 'Haven' turns your phone into a security system

It's an app that alerts you of things like movement and sound. It's meant, for example, to monitor the safety of the hardware you left in your hotel room.


Opera 50 to come with cryptocurrency mining blocker

More and more websites embed scripts that trigger the visitor to mine cryptocurrencies for them (also known as 'cryptojacking'). Opera will add a feature, dubbed 'NoCoin', to prevent this.


Twitter adds Google Auth-like two-factor authentication

Good news, as they previously only supported SMS-based 2fa, which can be subject to spoofing.


Troy Hunt: HTTPS on your landing page is important

He makes the excellent point that even if your login page is HTTPS secured, your landing page needs to be as well if you don't want a man-in-the-middle attack to redirect the 'login' button to a phishing site. Seems obvious, because it is, but easy to neglect.


7 ways admins can help secure accounts against phishing in G Suite

Great list of security measures one can take in GSuite to prevent phishing attacks. Including some I didn't know about yet, like a Chrome extension that detects the use of Google credentials on non-Google sites.


DerbyCon 2017 CTF write-up

An older article, but I found it a fun read to get an idea how one tackles a CTF (Capture The Flag) exercise in a hacker conference.


GAUNTLT - Security testing framework

This seems like a pretty cool thing to try out. It's a framework where you essentially write feature tests for your application, but focused on security. Things like "when I launch an nmap scan, I should see <x>".



Exploiting blind XSS and second order SQL injection vulnerabilities

Watch this technical demo by Netsparker's CEO Ferruh Mavituna, during which he explains the blind XSS and second order vulnerabilities and also shows how attackers can exploit them.