Issue 82

"Wavethrough" bug exposes content from other sites via HTML5 audio tag

Interesting bug where by using the <audio> tag and the range parameter inside a service worker, a site could remotely load any content from any other site, bypassing CORS completely (Cross-Origin Resource Sharing). Several browsers were vulnerable at some point, but only Edge was left. You can find the technical write-up here.

3,000+ mobile apps leaking data from unsecured Firebase databases

Nothing groundbreaking after all the unsecured MongoDB and Redis instances, but a good reminder to make sure you secure your Firebase implementation properly.

Decades-old PGP bug allowed hackers to spoof anyone’s signature

Using just the public key or key ID, one could spoof a digital signature that would be seen as valid by the PGP implementation. Lot's of tools have received patches.

DNS Rebinding on Google Home, Roku and Sonos. Fixes underway.

DNS Rebinding is getting more attention these days. The article explains the vulnerability well, and shows how a researcher was able to use it to remotely control Google Home, Roku and Sonos devices.

Google open-sources gVisor, a sandboxed container runtime

gVisor is a sandbox system to run untrusted containers in isolation, integrated with Docker and Kubernetes.

macOS can cache data from encrypted hard drives in the clear

It's been known in forensics for years, so consider it more of a head's up: when using Quicklook or Finder for files on an encrypted drive, the thumbnail (both for images and documents) can be stored on a non-encrypted location.

Security code auto-fill: is this new iOS feature a security risk for online banking?

Interesting blogpost on the upcoming iOS feature that auto-fills two-factor SMS tokens. It would be a great convenience, but it might come with risks too.


Bypassing web application firewalls

WAFs are a good security measure but the security of your web applications should not solely depend on it, because they can be bypassed. Watch this demo on Paul’s Security Weekly during which a researcher from Netsparker explains and demos how modern web application firewalls can be defeated.

New security features to manage your company Macs

Fleetsmith just launched new security features: remote lock and wipe of employees' devices and kernel extension whitelisting. You can also escrow each Mac's FileVault recovery key, and enforce a company policy for password and screen saver settings. I use Fleetsmith every day, much recommended :)