Headline
Deserialized web security roundup – Slack and Okta breaches, lax US government passwords report, and more
Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news
Jessica Haworth 13 January 2023 at 18:31 UTC
Updated: 16 January 2023 at 14:29 UTC
Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news
Slack suffered a security breach recently, “involving unauthorized access to a subset of Slack’s code repositories” according to the messaging platform.
The company said that although no customers were affected, an internal investigation revealed that an unknown actor downloaded private code repositories on or around December 27.
“We discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository,” a statement read.
“No downloaded repositories contained customer data, means to access customer data or Slack’s primary codebase.”
Identity management company Okta also fell victim to a breach when an unknown actor accessed its code repositories.
The incident occurred “in early December 2022”, the vendor said, without confirming whether or not any data was stolen.
It did confirm that it “promptly placed temporary restrictions on access to Okta GitHub repositories and suspended all GitHub integrations with third-party applications”.
And over in the US, a government watchdog spent $15,000 to build a password-cracking program – only to discover employees were using easily-guessable credentials all along.
The complicated software, financed by the Department of the Interior, was designed to take on tasks such as recovering hashed passwords.
However it ultimately found that it was able to recover nearly 14,000 employee passwords, – 16% of all department accounts – due to “easily cracked passwords, lack of multifactor authentication, and other failures”.
Among other stories from The Daily Swig in recent days were secure messaging app Threema disputing the seriousness of flaws in its software, developers being urged to rotate secrets in CircleCI due to a security breach, and cross-origin resource (CORS) misconfigurations in the environments of enterprises including Tesla that left internal networks vulnerable.
Here are some other web security stories and other cybersecurity news that caught our attention in the last fortnight:
Web vulnerabilities
- Cisco / Critical / RCE, authentication bypass vulnerabilities / Disclosed with patch, January 11
- CKEditor / Critical / CSRF vulnerability in CKEditor can lead to RCE (remote code execution) in XWiki / Patched in CKEditor Integration version 1.64.3
- Mozilla / Moderate / Attacker could inject markup due to the fact Firefox failed to implement the unsafe-hashes CSP (content security policy) directive / Disclosed with patch, December 13
- VMWare / Critical / Command injection, directory traversal vulnerabilities / Patched in VMWare vRealize Network Insight v6.8
- Zoom / Medium, High / Path traversal, local privilege escalation bugs for Windows, Android, MacOS clients / Patched January
Research and attack techniques
Researchers from Sonarsource discovered a command injection vulnerability as well as an authentication bypass vulnerability in open source web-based monitoring tool Cacti which allowed unauthenticated exploitation.
A malicious Python file found on the PyPi repository adds backdoor and data exfiltration features to what appears to be a legitimate SDK (software development kit) client from security firm SentinelOne, researchers at ReversingLabs have reported.
Also concerning PyPi, researcher Tom Forbes found 57 valid AWS keys present on the Python package index belonging to Amazon, Intel, and other organizations by scanning new packages with GitHub Actions.
A research team from Imperva demonstrated how they discovered a vulnerability in Google Chrome that led to the theft of sensitive files, such as crypto wallets and cloud provider credentials.
And Harsh Bothra from Cobalt released this handy write up on how pen testers can spot prototype pollution-style attacks. Bug bounty/vulnerability disclosure
Researcher Matt Kunze netted a $107,500 bug bounty reward from Google for reporting vulnerabilities in the Google Home Mini smart speaker which allowed him to access the microphone on the device and make arbitrary HTTP requests on the local network.
Security firm CloudSek released BeVigil, a tool to enable bug bounty hunters to find and report vulnerabilities in mobile apps.
And hacker Jerry Gamblin published this extensive guide on the CVE year in review, featuring data on assigned vulnerabilities from the year 2022. New open source infosec/hacking tools
GCP Goat is a vulnerable cloud infrastructure tool featuring the latest released OWASP Top 10 web application security risks and other misconfiguration, designed to help test developers test their code in a cloud environment.
Another cloud-based tool, PEACH is a tenant isolation framework for cloud applications to help protect against malicious actors accessing “data belonging to other customers”, for example, in cases such as ChaosDB, ExtraReplica, and AttachMe.
Open source tool sbom-utility has been released, an API platform for validating, querying, updating, and managing standardized SBOMs. For devs
Exact Realty has released this blog post explaining how developers can defend against introducing cross-site request forgery (CSRF) vulnerabilities into websites.
Google’s Chromium project now supports the use of third-party Rust libraries from C++, and will include Rust code in the Chrome binary “within the next year”. For fun
Finally, SplendidData’s bonkers bug bounty program policy was subject to online infosec scrutiny recently.
The rules date back to at least early 2021, however it still sparked a lively discussion thread on Twitter over the last week as some of its questionable terms were highlighted.
Its policy boasts guidance such as ‘we will not respond to your request’ and that the company ‘cannot guarantee’ that no legal action will be taken, even if the vulnerability was disclosed responsibly.
Unsurprisingly, this spread like wildfire on infosec Twitter with one user called TJ joking: “I like the “we MIGHT sue you, idk” aspect… adds a little excitement to life.”
RECOMMENDED Prototype pollution-like bug variant discovered in Python