Breaches and leaks
- Twitch: the streaming service had an issue where message archives that users could ask contained messages that belonged to other users.
- UK government: they had a number of public Trello boards exposing sensitive information.
- GOMO: a Chinese mobile app developer, exposed data of over 50 million users, many of whom are children.
- Augusta University Health: a phishing attack, which happened in 2017, is now known to have exposed information of over 400.000 students and patients.
- Sitter: a babysitting-app. They had an unsecured MongoDB server exposing user data and messages.
- SuperProf: facepalm time on this one. The tutoring site migrated users from a recently acquired company, resetting all passwords to 'super' + their first name. Making it pretty damn easy to guess what everyone's new password was.
One variant gives the ability to read data from Intel's Secure Enclave memory called SGX, and another allows a malicious VM to read memory from other VM's on the same machine. Some deeper explanations here.
By our beloved Tavis Ormandy. Ghostscript handles PDF-based documents in various software tools, of which ImageMagick is the best known. The vulnerability allows for remote code execution just by uploading a malicious PDF. No update is available yet, but there are ways to mitigate the problem.
It's a pretty serious flaw in Microsoft’s Active Directory Federation Services (ADFS), where one valid second factor could be used for all accounts in the enterprise. A patch has been released.
I hadn't heard of ReDos before, it's pretty interesting. It's where input to an app is crafted to make the regex-based validation take so long as to slow down or crash the whole system.
The teenager apparently exfiltrated 90GB worth of files, and had access to Apple's systems for over a year. He hid his access well, but it seems they were able to determine the serial number of the machine he used and found him that way.
Microsoft announced that they got control over six domains that were made to look like legitimate sites related to the elections.
Traefik is a load balancer / reverse proxy. In the same trend as unauthenticated Kubernetes clusters and the likes, there are apparently a few thousands of them open to the public. One can query their API to get private keys of your certificates. Check it if you got one.
Update all the things \o/
- Linux kernel: two vulnerabilities that could trigger DoS attacks, dubbed "SegmentSmack" and "FragmentSmack", were fixed.
- Microsoft has its Patch Tuesday, fixing 60 vulnerabilities, including 2 zero-days.
- Adobe fixes things in Flash, Acrobat and Reader.
- Airmail 3 for Mac: A vulnerability where files and e-mail could be exfiltrated just by sending a malicious e-mail. The article says otherwise, but looking at the site a fix seems to have been pushed out.
Automatic iOS updates, credential auto-fill support for third party password managers, improvements to the built-in password manager, convenience feature to copy-paste 2fa SMS codes, and blocking social network trackers.
Nice initiative for an online Master's degree in cybersecurity, in collaboration with edX.
Very nice article about how to handle passwords, that goes beyond just "use bcrypt or something similar". Including interesting things I hadn't considered before like hashing the password client-side first, and AES encrypting your Argon2/bcrypt hash before storing it.