Plaintext passwords in internal logs at Twitter and Github
Two very related items this week:
- Github notified a small subset of users that their passwords were visible in internal logs: link
- Twitter asks for a password reset after discovering a similar issue: link
The service had over 136.000 registered users, and carried out over 4 million DDoS attacks. DDoS attacks went down by 60% afterwards, at least for now.
An update is available for the vulnerable version, but it requires a physical firmware update of each individual lock. They didn't open-source the exploit though, and it doesn't seem to have been an easy feat to pull off.
They essentially found a way to keep a listening session open for longer than usual, without the usual reprompt that would tip it off to the user. Whatever was said during the session was transcribed and sent to the hacker. Amazon has released a patch for the issue.
Researchers used the car's Wifi connection to gain access to the infotainment system. They got root access, which gave them access to navigation, the microphone of the car kit, and potentially more. Volkswagen fixed the issue for new cars, but it's unclear how existing cars are handled since there is no over-the-air update possibility.
The camera in question is sold as a white-label by many companies, so it's hard to give a single name. If you access the admin panel with the cookie value 'uid=admin', you get full control. Over 50.000 such cameras are publicly reachable.
It might not be a security issue in the strictest sense, as Microsoft argues, but the 'prank' or DoS potential seems evident. It requires physical access to the USB drive but also works on locked machines, which the researcher argues really shouldn't happen.
Certificate issuers need to publicly log all sites they generate a certificate for, so that mis-issued certs can be detected. Chrome will now show a page-wide warning if it comes across a cert that isn't on the log. Other browsers will follow.
Google introduced the .app domain, where HTTPS is mandatory. It's all a bit weird to me but hey, it's news. Hackernews discussion here.
Pretty great outline and resource list for anyone who wants to dive into (webapp) security engineering but doesn't know where to start.
Gsuite security - personal project
This is a personal one. I'm building a product that gives you a security rundown of your gsuite account, with items like:
- accounts without 2fa enabled
- recently failed or suspicious logins
- publicly readable groups and documents
- recent oauth approvals
You run it to make sure everything is peachy inside your organisation, and to see where there's work left to be done.
It will probably be self-hosted, so only you have access to your data. Although I'm eager for your feedback on that.
If you're interested, let me know right here.