Issue 99

Breaches and leaks

  • FitMetrix: a fitness software provider, had an open Elasticsearch database exposing user data of millions (exact number unknown).
  • US Department of Defense: Personal information and credit card details of 30.000 employees were compromised through a third party service provider.
  • DonaldDaters: a recently launched dating app for Trump supporters, had an open database exposing personal information, session tokens and private messages.
  • 35 million US voter records were found for sale on a hacking forum.

Vulnerability in LibSSH allows for trivial authentication bypass

This is as painful as they come. You tell the server "I'm authenticated, really!", and it goes "I believe you, come on in!". ... You'll want to check if you run LibSSH in your infrastructure and patch.

Facebook hack impacted 30 million, of which 14 million had personal data stolen.

This is an update on the "View As" vulnerability. The attackers stole regular contact information from one half of users impacted, but far more from the other ~14 million people, including most recent locations they've checked in, most recent searches, and more.

Security support for PHP 5.6 ends in 10 weeks, hundreds of millions of websites still use it

Cross fingers that no serious vulnerability gets found after New Year's, I guess?

TLS 1.0 and TLS 1.1 being retired in 2020 by all major browsers

This is a collective decision by Microsoft, Google, Apple, and Mozilla. TLS 1.2 and 1.3 are so prevalent that the fallout should be minimal.

Bug in newly released iOS 12.0.1 gives access to your photos

Another passcode bypass, discovered by the same person who found the last one. Looking it the steps involved I'm curious how he finds these vulnerabilities, kudos to him.

US arrests alleged Chinese spy, accused of stealing US aviation secrets

The arrest happened in my home country of Belgium, no less. The intelligence officer recruited engineers from US aviation firms to travel to China and hand over blueprints.

Apple launches portal for US users to download their data

This was previously launched for EU users, under the GDPR, but is now also available to the US.

A mysterious grey-hat is patching people's outdated MikroTik routers

He's patched over 100.000 vulnerable routers, leaving a note about the fixed vulnerability and a Telegram channel for questions. A vigilante with a helpline, I can't help but get a kick out of it.

Curated feed of Wordpress security news

If you're into the Wordpress ecosystem: this site aggregates Wordpress-related security news in daily or weekly e-mails and feeds.

How I hacked modern vending machines

Fun article on how the author went about hacking the Android payment app for this vending machine.

The illustrated TLS connection: every byte explained

Fantastic post, going through every step of a TLS connection, showing every byte that's involved and explaining what it does.


1Password for Teams and Business

I use 1Password to securely share passwords and notes with my colleagues. Can't recommend them enough and I'm super honoured to have them as a sponsor.

Application layer security for modern teams

Both startups and enterprises use Templarbit to protect their web applications, APIs and microservices. Run a next-gen WAF or ship a smart Content Security Policy workflow in minutes.