Web attack vector closed after failed fix

Web attack vector closed after failed fix

Gartner has patched a DOM XSS vulnerability found in the Peer Insights widget, a security bug researchers reckon dates back to the original development of the software.

In a technical write-up of the flaw, penned by Justin Steven, the software security researcher said that “many websites” were made vulnerable to DOM-based cross-site scripting (XSS) when the widget was present.

Catch up on the latest security research-related news and analysis

The Gartner Peer Insights widget is a marketing tool described as “an aggregated, real-time view of a vendor’s review and ratings in a particular market on Gartner Peer Insights” that industry vendors are invited to host on their site to add market “credibility and drive conversions”.

When a website uses the Gartner widget, it sources widget.js from gartner.com and then creates an event listener for postMessage messages before creating a div for the widget to be displayed in.

A hidden iframe pointed at the Gartner.com domain requests a specific page from gartner.com which would send a postMessage message to the patent page. This message data would be used in constructing HTML content to be populated into the widget’s content div via a function called innerHTML.

**Substring shenanigans**

Verification occurs through a check for the string “gartner.com” appearing in the origin of the sending website. However, the check could be bypassed by launching an attack from a website such as https://gartner.com.attacker.com, as this still would meet the substring criteria.

Furthermore, the researcher described innerHTML as a DOM XSS “sink” as several XSS triggers would fire upon injection. For example, if a victim visited a malicious website, a crafted message could be pushed via window.postMessage().

“This crafted message could have injected active content, executing arbitrary JavaScript in the context of the website,” Steven said. ”This could have allowed the malicious website to violate the confidentiality and integrity of user data held in the context of the victim site, and allowed it to display arbitrary and harmful content such as a phishing form.”

The attack doesn’t involve sending traffic to the victim website or gartner.com. Instead, this is a client-side attack taking place within a browser window.

Proof-of-Concept (PoC) code, exploit test pages, and a YouTube video demonstrating the bug are now public. Websites previously impacted included Black Kite, Gradle, LogRhythm, SentinelOne, Synopsys, Veeam, and Vodafone, among others.

Steven analyzed code from 2022, but after examining an archived version of the widget said, “it appears to have been vulnerable to the DOM XSS issue from its inception”.

**Patch and patch again**

Gartner was notified about the problem on November 4, 2022. Four days later, the analyst firm acknowledged the report and asked if the researcher would like to submit the problem to its private bug bounty program on HackerOne.

BACKGROUND Learn about DOM-based XSS on the Web Security Academy

A tactical fix was released on December 19, followed by a “complete repair” in January. However, Steven provided evidence that these initial patches could be bypassed. So, new fixes were released on January 26 and February 2 to resolve the DOM XSS.

Steven said he wished to post his work as a public advisory. However, Gartner said a bug bounty would not be offered if the research was “publicly disclosed outside the HackerOne program”, and therefore, the researcher declined the offer of a bug bounty, leading to public disclosure on February 3.

**Magic quadrant**

Speaking to The Daily Swig, Steven said that organizations should consider conducting frequent security reviews of third-party, front-end JavaScript code, which includes widgets, analytics code, trackers, ads, customer support chat, and other functions. Alternatively, they should seek assurance about their vendor’s security process.

In any case, the integrity of existing code and risk factors should be considered when implementing new front-end features, according to Steven.

The Daily Swig has reached out to Gartner and we will update this story if and when we hear back.

YOU MAY ALSO LIKE XSS Hunter reborn with added features including CORS misconfig detection

DOM XSS vulnerability in Gartner Peer Insights widget patched

Hacker praises carmaker’s prompt response to the (mercifully) good-faith pwnage

Adam Bannister 07 February 2023 at 17:34 UTC  
Updated: 07 February 2023 at 17:38 UTC

Hacker praises carmaker’s prompt response to the (mercifully) good-faith pwnage

A security researcher said he hacked into Toyota’s supplier management network and was able to access sensitive data associated with around 3,000 suppliers and 14,000 users worldwide.

Eaton Zveare compromised a web application used by Toyota employees and suppliers to coordinate projects, and containing details about parts, surveys, and purchases. Notable partners and suppliers found on the system included Michelin, Continental, and Stanley Black & Decker.

The researcher ultimately gained access to the Japanese carmaker’s Global Supplier Preparation Information Management System (GSPIMS) as a system administrator via a backdoor in the login mechanism.

RELATED Car companies massively exposed to web vulnerabilities

A malicious breach could have exposed comments made by Toyota employees about suppliers and supplier rankings by risk and other variables, said Zveare.

Zveare described the security hole, which Toyota patched quickly, as “one of the most severe vulnerabilities I have ever found”.

**Return true;**

The path to exploit began by patching the JavaScript code in GSPIMS, an Angular, single-page application created by SHI International Corp on behalf of Toyota.

“Developers control access to Angular routes/pages by implementing CanActivate and CanActivateChild,” said Zveare in a blog post published yesterday (February 6). “Basically, when a user attempts to navigate to a route/page, you would determine if they are allowed to view it, and then return true or false. By patching both to return true, you can usually fully unlock an Angular app.”

He added: “The logout code also needed to be removed to prevent a redirect back to the login page. With those patches applied, the app loads and can be browsed.”

Zveare, who has previously pwned Jacuzzi’s SmartTub app, then leveraged the backdoor via a HTTP request, which surrendered a JSON Web Token with an email, but no password, provided.

The API was used for an ‘Act As’ feature that allowed high privileged users to log in as any global user.

Finding a valid email only required a little Googling of Toyota personnel, since Toyota used a predictable format in North America (firstname.lastname@toyota.com).

**Total, global control**

Initially logged in as a user with a ‘Mgmt – Purchasing’ role, Zveare eventually made it to SysAdmin after finding a rolePrivileges node in the user/details API response, then a findByEmail API endpoint that detailed a user’s managers.

Based on the additional tabs that appeared within the application, it was clear that “with a System Admin JWT, I basically had total, global control over the entire system”, said Zveare.

DON’T MISS Tesla tackles CORS misconfigurations that left internal networks vulnerable

Therefore an attacker could have deleted, modified or leaked data, and abused the data to craft spear phishing campaigns.

Threat actors could have also “added their own user account with an elevated role, to retain access should the issue ever be discovered and fixed”, suggested Zveare.

**Bounty recommendation**

The researcher alerted Toyota to the backdoor on November 3, 2022, and the carmaker responded the same day, before confirming on November 23 that the issue had been fixed.

Toyota and SHI fixed the issue by making the createJWT and endpoints return ‘HTTP status 400 – Bad Request’ in all cases.

“I was glad Toyota recognized the severity of the issue and quickly fixed it,” told The Daily Swig. “Toyota is a huge corporation and it seems like their security team is set up to efficiently address vulnerabilities across all aspects of the company.

“A bounty payment would have been nice, but they did not offer one in this case. I hope they will consider changing this in the future. Recognition is always appreciated, but offering rewards is how you attract top talent and keep exploits off the black market.”

The Daily Swig has invited Toyota to comment – no response yet but we will update the artice if and when they do so.

RECOMMENDED Researcher drops Lexmark RCE zero-day rather than sell vuln ‘for peanuts’

Toyota sealed up a backdoor to its global supplier management network

Plan to create boundary between JavaScript objects and their blueprints gathers momentum

Plan to create boundary between JavaScript objects and their blueprints gathers momentum

Software engineers at Google have put forward a proposal that promises to clamp down on prototype pollution, a class of vulnerability that has become a scourge of web security.

Prototype pollution is a JavaScript language flaw that allows attackers to manipulate objects they don’t control or don’t have access to at runtime. The problem arises from the lack of a clear boundary between objects (which are used to hold data at runtime) and their blueprints (which determine how those objects should behave).

BACKGROUND Prototype pollution: The dangerous, underrated bug impacting JavaScript applications

The Google-backed proposal – which has been submitted for ratification to TC39, a technical working group – aims to create a boundary between JavaScript objects and blueprints. The technology works by “removing the pathways that allow attackers to jump from objects to blueprints”.

Technical details of the proposal have been posted on GitHub.

**Opt-in secure mode**

As explained in the GitHub post, the “proposal seeks to mitigate prototype pollution by introducing an opt-in secure mode that makes prototypes impossible to access using string property keys, instead requiring they be accessed with methods (Object.getPrototypeOf) or the proposed new symbol property keys”.

Santiago Diaz, co-author of the proposal, told The Daily Swig: “The goal is to break known exploit techniques, while being as compatible as possible with existing codebases, so that the mitigation can be adopted widely on the internet.”

TC39, a working group responsible for maintaining the JavaScript specification, last week gave the green light to proceed from stage 0 to stage 1, beginning the next phase in its five-part journey towards ratification.

Diaz explained: “The significance of this is that TC39 sees pollution as a problem worth looking into (and hopefully solving). Over the course of the next months, we’ll be iterating on the specific aspects of the proposal and doing the engineering to find the right balance of trade-offs and hopefully make it palatable both for TC39 members and for developers to adopt.”

Once a proposal reaches the final stage (stage 4), the proposal is deemed final and browser vendors can make changes in their software. “This in turn, signals \[to\] developers to start adopting this new mitigation and roll it out to production,” Diaz concluded.

**Symbol solution**

Gareth Hayes, a security researcher at PortSwigger, the parent company of The Daily Swig, expressed interest in the proposals.

“This is a proposal to prevent prototype pollution by giving the developer the ability to remove properties like \_\_proto\_\_ by executing some code that enables a secure mode and removes these properties,” Hayes said.

“They propose using symbols to enable the site to continue to use \_\_proto\_\_ functionality so a site doesn’t break and an attacker couldn’t supply these symbols as it would require JavaScript execution.”

The Google proposal is not the first of its kind. However, existing solutions for preventing unintentional changes to prototypes like Object.freeze, preventExtensions, and seal have a number of “downsides that make them difficult to deploy”, according to Google’s blog post, which outlines these drawbacks.

RELATED Prototype pollution-like bug variant discovered in Python

Google engineers plot to mitigate prototype pollution

Path traversals could ‘void reverse engineering efforts and tamper with evidence collected’

Adam Bannister 03 February 2023 at 16:36 UTC  
Updated: 03 February 2023 at 16:37 UTC

Path traversals could ‘void reverse engineering efforts and tamper with evidence collected’

Security analysis tool Binwalk itself poses a security risk to users running out-of-date versions due to a path traversal vulnerability that could lead to remote code execution (RCE).

Binwalk is a popular command-line tool in Linux that is used for analyzing, reverse engineering, and extracting firmware images.

The path traversal issue requires users to open a “malicious file with binwalk using extract mode ( option)” so user interaction is required, according to a security advisory published by Quentin Kaiser of ONEKEY Research Lab.

The flaw is tracked as CVE-2022-4510 and classified as high severity (CVSS 7.8).

**Root cause**

The vulnerability was introduced by the merging of the Professional File System (PFS) extractor plugin with binwalk in 2017, and arises because an attempt to mitigate path traversal risk with failed.

The upshot is that six years later, Kaiser discovered that “by crafting a valid PFS filesystem with filenames containing the traversal sequence, we can force binwalk to write files outside of the extraction directory”.

PFS is an obscure filesystem format occasionally found in embedded devices.

**‘Environment agnostic’**

Kaiser targeted binwalk’s plugin system in a bid to achieve an “environment agnostic” path to RCE.

Plugins load on all binwalk scans once they are dropped into the Python tool’s plugin directory.

“So, if we exploit the path traversal to write a valid plugin at that location, binwalk will immediately pick it up and execute it while it’s still scanning the malicious file,” Kaiser explained. “On top of that, the PFS extractor will take care of creating all required directories if they do not exist, so we don’t need to expect anything from the system we’re running on.”

Kaiser crafted a malicious plugin that “executes two times since it does not define an explicit MODULE attribute that defines its purpose (e.g., signature scan, entropy calculation, compression stream identification). I take advantage of that behavior to make it clean up after itself.”

Vulnerable versions span 2.1.2b through 2.3.3 inclusive. The vulnerability was addressed yesterday (February 2) with the release of binwalk version 2.3.4 – more than three months after ONEKEY said it first contacted the tool’s maintainer, Microsoft-owned Refirm Labs, and provided a suggested patch, in October 2022.

**Yaffshiv**

Kaiser’s research also uncovered similar, medium severity CVEs affecting other filesystem extractors, namely the ubi\_reader, Jefferson, yaffshiv projects.

Kaiser warned that even fully up-to-date binwalk instances were potentially vulnerable to the same exploit chain because yaffshiv is installed and enabled by default on binwalk, except the attack vector would be YAFFS instead of PFS.

“Yaffshiv is maintained by the team behind binwalk so we hope a fix will be available soon,” Kaiser told The Daily Swig.

“Writing secure format parsers and extractors is a complex task (believe us, we've been working on exactly those issues with \[our own extraction suite\] Unblob) so it's not a surprise that we found these kinds of vulnerabilities in binwalk given the amount of format it supports.”

**Salutary reminder**

The research serves as a salutary reminder that security tools can themselves contain security holes. “This especially becomes critical in forensic analysis and reverse engineering where we are commonly faced with untrusted, potentially malicious files,” said Kaiser.

“While the path traversals described in this article have the potential to void any reverse engineering efforts and to tamper with evidence collected, they also demonstrate the importance of sandboxing analysis environments to limit the impact of such vulnerabilities. Especially with the rise of automated extraction and analysis tools relying on tools like binwalk (e.g., FACT, ofrak, EMBA), it’s important for developers and users of those solution to be aware of the risks.”

Kaiser hinted that ‘D-Link RomFS’ plugin could be his next focus for research as it “is probably affected by a similar vulnerability”.

The Daily Swig has approached Refirm Labs for comment. We will update this article if and when they respond.

MORE RELATED RESEARCH WAGO fixes config export flaw threatening data leak from industrial devices

Serious security hole plugged in infosec tool binwalk

Popular hacking aid resurrected following end-of-life announcement

Popular hacking aid resurrected following end-of-life announcement

XSS Hunter now has a home at Truffle Security, which has launched a new version of the tool after its original creator declared that he will be deprecating it in February.

XSS Hunter is a popular open source tool for identifying cross-site scripting (XSS) bugs in websites. An online version was previously maintained by its creator Mandatory (Matthew Bryant).

The new version, hosted on Truffle Security’s domain, is an open source fork of the original code with new features and enhanced security.

**Privacy concerns**

XSS is a very common vulnerability, accounting for 23% of bug reports submitted to bug bounty platform HackerOne, for example.

“The most popular tool for looking for XSS aside from manual testing is XSSHunter,” Dylan Ayrey, co-founder of Truffle Security, told The Daily Swig. “It’s an extremely valuable tool to the community, but it also had risks.”

Many users of XSS Hunter would accidentally send sensitive data to the platform and possibly cause data leakage. Ayrey had previously stumbled on 50,000 Google user records while working with the old XSS Hunter, which became the topic of a talk he gave at Black Hat 2022.

“As long as Mandatory was in charge of the service, I wasn’t concerned with what the platform might do with that data collected,” Ayrey said.

“But we were concerned after the EOL \[end of life\] was announced, another tool might have come along to replace it with operators that may have had different intentions with the data collected.”

Read more of the latest news about web hacking tools

The new XSS Hunter tool blurs screenshots captured by the platform to protect sensitive information rendered by the XSS payload. It has also removed support for full DOM capture and enforces Google SSO login to improve account security.

Regarding the deprecation of the old service, Mandatory told The Daily Swig that he had become “increasingly uncomfortable with the amount of vulnerability information stored in the service.

“Ideally I’d like to be storing zero vulnerability information for XSS hunter users, which this deprecation will achieve,” he said.

Mandatory described Truffle Security’s fork as “a step in the right direction” and said: “I think the fact that Truffle Security is starting out with an eye on balancing privacy and bug bounty research interests is a good sign.”

**New features**

Truffle Security has added support for detecting other kinds of vulnerabilities, including cross-origin resource sharing (CORS) misconfigurations that would allow external sites to view and extract data from internal domains. CORS vulnerabilities can be especially damaging, as Truffle Security recently discovered while investigating different internal corporate networks.

Truffle Security has integrated the lite version of its TruffleHog tool into the new XSSHunter, enabling it to scan HTML pages for secrets such as AWS, GCP, and Slack keys. It will also scan tested websites for source code leaks via .git directories.

“We saw an opportunity to both address privacy concerns as well as give the cybersecurity community new capabilities within the XSS Hunter tool,” Ayrey said.

Ayrey said Mandatory was supportive of the effort and helped out in the process. Truffle Security plans to add more features to XSS Hunter in the future, including adding a more complete version of TruffleHog.

Mandatory, who described XSS Hunter as his long time passion project, will continue to maintain the open source xsshunter-express repository “more dutifully in the future to support those who wish to self-host their own instance”.

“When I first built the service many people didn’t really believe that blind XSS was a ‘real’ concern,” he said. “Today I don’t think anyone doubts the pervasiveness and severity of these vulnerabilities, so it has pretty much achieved what it was meant to do.”

YOU MAY ALSO LIKE Meet TruffleHog – a browser extension for finding secret keys in JavaScript code

Truffle Security relaunches XSS Hunter tool with new features

Printer exploit chain could be weaponized to fully compromise more than 100 models

Charlie Osborne 01 February 2023 at 12:18 UTC  
Updated: 01 February 2023 at 13:26 UTC

Printer exploit chain could be weaponized to fully compromise more than 100 models

A security researcher dropped a zero-day remote code execution (RCE) chain of vulnerabilities affecting Lexmark printers after claiming the disclosure reward he was offered was “laughable”.

Independent researcher Peter Geissler (@bl4sty) said that public disclosure of the bug, a zero-day flaw at the time of release but now patched, was preferable to the report being sold “for peanuts”.

In a tweet dated January 10, Geissler published a link to a GitHub repository containing information on the vulnerability chain.

The exploit was tested against firmware version CXLBL.081.225, and while entered into Pwn2Own Toronto 2022 – ran by the Zero Day Initiative (ZDI) – the attack was unsuccessful during demonstrations.

**‘Seemingly harmless’ functions**

However, according to the researcher’s writeup, several isolated or “seemingly harmless” functions could be exploited to “eventually fully compromise the device”.

These functions included file upload and file copy primitives, alongside a daemon related to SOAP web services that could be abused to make an HTTP callback to an attacker’s selected endpoint, resulting in server-side request forgery (SSRF).

DON’T MISS Deserialized roundup: ‘Catastrophic cyber events’ and T-Mobile, LastPass troubles

“When the callbacks are being made the software does not do any sanity-checking on the destination of the callbacks, thus it is possible to send callbacks to arbitrary hosts, including the printer itself,” Geissler explained.

Furthermore, a process called /auto-fwdebugd could be exploited due to a failure to sanitize inputs from a first-in, first-out system, causing a command injection bug.

By chaining the above, it was possible to achieve RCE.

**Patch available**

In a security advisory released on January 23, Lexmark said the issue, tracked as CVE-2023-23560 (CVSSv3 9.0) and released under one CVE assignment, impacts over 100 models but has now been patched.

The company said there is no evidence of malicious use in the wild. When approached for comment, Lexmark said: “Lexmark became aware of details of this vulnerability when it was publicly disclosed. We have provided a patch to our customers.

“We encourage anyone who identifies a vulnerability which may affect a Lexmark product to report it to Lexmark Security Advisories. This vulnerability management approach is one reason Lexmark is consistently named a leader in print security by industry analysts.”

Geissler says that while the exploit chain didn’t fully function during the competition – potentially due to different configurations on the test printer – ZDI did offer to purchase the security flaws. However, the amount was “laughable” and Geissler “promptly forgot about their offer”.

Read more news about the latest web security vulnerabilities

Speaking to The Daily Swig, Geissler explained that the amount offered by ZDI was a “small fraction” of the original reward as someone else during the competition successfully targeted the printer with a different chain of bugs.

When asked for his motivation beyond securing a payout to release his findings, Geissler commented: “If you sell to them you cannot publish anything until the bug(s) have been fixed by \[the\] vendor, afaik \[as far as I know\] that’s the only real (reasonable) restriction for publication.”

**Disclosure**

According to the researcher, Lexmark was not notified before the zero-day’s release for two reasons.

First, Geissler wished to highlight how the Pwn2Own contest is “broken” in some regards, as shown when low monetary rewards are offered for “something with a potentially big impact” – such as an exploit chain that can compromise over 100 printer models.

Furthermore, he said that official disclosure processes are often long-winded and arduous.

“In my experience, patching efforts by the vendor are greatly accelerated by publishing turnkey solutions in the public domain without any heads up whatsoever,” Geissler noted.

“Lexmark might reconsider partnering with similar competitions in the future and opt to launch their own vulnerability bounty/reward program.”

YOU MAY ALSO LIKE Facebook two-factor authentication bypass bug earns researchers $27k

Researcher drops Lexmark RCE zero-day rather than sell vuln ‘for peanuts’

New web targets for the discerning hacker

Adam Bannister 31 January 2023 at 15:13 UTC  
Updated: 31 January 2023 at 15:23 UTC

New web targets for the discerning hacker

A bypass of Facebook’s SMS-based two-factor authentication (2FA) made it into Meta’s most impressive bug bounty finds of 2022.

However, it seems Facebook’s parent company initially didn’t fully appreciate the vulnerability, offering a $3,000 bounty before eventually revising the reward upwards to $27,200.

“Since there was no rate limit protection at all while verifying any contact points – email or phone – an attacker just knowing the phone number could add the victim’s 2FA-enabled phone number in his or her Instagram-linked Facebook account,” security researcher Manoj Gautam told The Daily Swig.

In other bug bounty news this month, a hacker duo documented Google Cloud Platform (GCP) research that resulted in six payouts totalling more than $22,000.

The most lucrative find for Sreeram KL and Sivanesh Ashok led to a double $5,000 reward for a server-side request forgery (SSRF) bug and subsequent patch bypass in machine learning platform Vertex AI.

Outlined across four blog posts, their bug bounty exploits also included an SSH key injection issue in Google Cloud’s Compute Engine and flaws in Theia and Cloud Workstations.

Cross-origin resource sharing (CORS) misconfigurations were the focus of a third bug bounty writeup covered by The Daily Swig this month.

Exploits fashioned for multiple private programs – notably including Tesla – earned Truffle Security researchers a “few thousand dollars” and vindicated their hypothesis that “large internal corporate networks are exceedingly likely to have impactful CORS \[cross-origin resource sharing\] misconfigurations”.

Fresh hacking opportunities on the horizon, meanwhile, include The US Department of Defense (DoD)’s third annual Hack The Pentagon challenge and the Zero Day Initiative’s (ZDI’s) inaugural Pwn2Own Automotive, slated for January 2024.

**The latest bug bounty programs for February 2023**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**8x8**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$1,337

**Outline:  
**The US provider of business communication technologies has invited hackers to probe its websites, mobile apps, and services such as Jitsi, its open source video meeting software.

**Notes:  
**Despite the relatively modest top bounty on offer, 8x8 has already paid out more than $90,000 in bounties within a month of its launch.

Check out the 8x8 bug bounty page for more details

**Hedera Hashgraph**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$30,000

**Outline:  
**Hedera Hashgraph describes itself as “a responsibly governed decentralized network”, with the Hedera Governing Council comprising “enterprises, web3 projects, and prestigious universities”.

**Notes:  
**There are seven assets in scope including services and mirror node codebases, Java and JavaScript SDKs, testnet API endpoints, and testnet mirror node APIs.

Check out the Hedera Hashgraph bug bounty page for more details

**Hyperlane**

**Program provider:  
**Immunefi

**Program type:  
**Public

**Max reward:  
**$2.5 million

**Outline:  
**Hyperlane describes itself as a modular interoperability platform, empowering developers to build interchain applications, apps that can easily and securely communicate between blockchains.

**Notes:  
**The life-changing maximum reward is on offer for critical bugs on smart contracts, whereas application flaws can command payouts of up to $20,000.

Check out the Hyperlane bug bounty page for more details

**Kiwi.com**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:  
**Czech online travel agency Kiwi.com provides a fare aggregator, metasearch engine, and booking function for airline tickets and ground transportation.

**Notes:  
**In-scope targets include the main website, kiwi.com; tequila.kiwi.com; jobs.kiwi.com; source code; APIs and internal tools; and mobile applications.

Check out the Kiwi.com bug bounty page for more details

**Net+**

**Program provider:  
**GObugfree

**Program type:  
**Mix of public and private

**Max reward:  
**CHF5,000 ($5,389)

**Outline:  
**Netplus.ch, which provides internet, telephony, and TV services to more than 220,000 users in Switzerland, is paying between CHF 2,000-5,000 for critical bugs.

**Notes:  
**New targets are initially restricted to the private program for a period of initial testing, before being opened up to the broader hacking community within the public program.

Check out the Net+ private and public bug bounty pages for more details

**Open-Xchange (OX) App Suite**

**Program provider:  
**YesWeHack

**Program type:  
**Public

**Max reward:  
**€5,000 ($5,430)

**Outline:  
**Open-Xchange’s OX App Suite is an open source email and productivity suite that purports to favor security by default rather than security through obscurity.

**Notes:  
**Open-Xchange, hitherto a HackerOne client, has migrated its bug bounty programs to YesWeHack. CISO Martin Heiland recently discussed the hacking opportunities on offer with the Paris-based platform.

Check out the OX App Suite bug bounty page for more details

**Open-Xchange Dovecot**

**Program provider:  
**YesWeHack

**Program type:  
**Public

**Max reward:  
**€5,000 ($5,430)

**Outline:  
**Dovecot is Open-Xchange’s IMAP, POP3, and submission server for email, used within multiple operating systems and by “millions of operators”.

**Notes:  
**Open-Xchange, hitherto a HackerOne client, has migrated its bug bounty programs to YesWeHack. CISO Martin Heiland recently discussed the hacking opportunities on offer with the Paris-based platform.

Check out the Dovecot bug bounty page for more details

**Open-Xchange PowerDNS**

**Program provider:  
**YesWeHack

**Program type:  
**Public

**Max reward:  
**€5,000 ($5,430)

**Outline:  
**PowerDNS is a DNS server that enables domain resolution and network security features.

**Notes:  
**Open-Xchange, hitherto a HackerOne client, has migrated its bug bounty programs to YesWeHack. CISO Martin Heiland recently discussed the hacking opportunities on offer with the Paris-based platform.

Check out the PowerDNS bug bounty page for more details

**S-Pankki**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$4,000

**Outline:  
**The Finnish bank is offering up to $4,000 for critical vulnerabilities, $2,000 for high severity flaws, and $1,000 for medium severity bugs.

**Notes:  
**There are 11 assets in scope, including nine domains plus iOS and Android mobile applications.

Check out the S-Pankki bug bounty page for more details

**Superbet**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$2,000

**Outline:  
**The Romanian online gaming company is offering a maximum of $2,000 for critical bugs, $1,000 for high severity issues, and $250 for medium impact vulnerabilities.

**Notes:  
**Just the one asset in scope: the.superbet.ro domain.

Check out the Superbet bug bounty page for more details

**Swiss Bankers**

**Program provider:  
**GObugfree

**Program type:  
**Private

**Max reward:  
**Undisclosed

**Outline:  
**Swiss Bankers is a financial services firm specializing in prepaid credit cards, mobile payment, and money transfer.

**Notes:  
**Hackers can participate by invitation only.

Check out the Swiss Bankers bug bounty page for more details

**Threema (Enhanced)**

**Program provider:  
**GObugfree

**Program type:  
**Public

**Max reward:  
**CHF10,000 ($10,778)

**Outline:  
**Swiss instant messenger service Threema has upped maximum payouts from CHF4,000 ($4,311) To CHF10,000 ($10,778) after launching the program in May 2022.

**Notes:  
**This news comes after the privacy-focused software disputed claims that there were several security flaws in its encrypted messaging platform.

Check out the Threema bug bounty page for more details

**TRON DAO**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:  
**TRON DAO is an open source platform for creating decentralized applications, new financial primitives, and interoperable blockchains.

**Notes:  
**TRON’s Java source code is currently the sole asset in scope.

Check out the TRON DAO bug bounty page for more details

**Wato-soft**

**Program provider:  
**GObugfree

**Program type:  
**Private

**Max reward:  
**Undisclosed

**Outline:  
**Swiss IT services firm specializing in Enterprise resource planning (ERP) software.

**Notes:  
**Hackers can participate by invitation only.

Check out the Wato-Soft bug bounty page for more details

**Other bug bounty and VDP news this month**

*   An Amazon virtual hacking event with HackerOne was the platform’s highest paying virtual event ever, with more than 50 security researchers collectively earning $832,135. The 10-day hackathon’s overall winner was @jonathanbouman, while ‘Best Team Collaboration’ went to ‘spacebaffoons’ @the\_arch\_angel, @spaceraccoon, and (one time Daily Swig interviewee) @ajxchapman
*   As referenced in our latest Deserialized roundup, Intigriti has flagged a Belgium-wide safe harbor clause in the country’s proposed whistleblower law, and a New Scientist feature on a mathematical means of demonstrating valid exploits without risking public disclosure
*   Finally, YesWeHack has penned a how-to on using Burp Suite extension Highlighter And Extractor (HaE) to surface vulnerabilities via regular expressions

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for January 2023

Bug Bounty Radar // The latest bug bounty programs for February 2023

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

Adam Bannister 27 January 2023 at 16:48 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

“A far-reaching, catastrophic cyber event is likely in the next two years” according to 93% of cybersecurity experts and 86% of business leaders polled by the World Economic Forum (WEF).

Geopolitical instability and the enduring shortage of cybersecurity skills are making the situation more precarious and causing firms to rethink their presence in certain regions, revealed the WEF’s Global Cybersecurity Outlook 2023 report, which canvassed the views of 300 experts and C-suite executives.

In the meantime, we’re still seeing plenty of very, very bad cyber-attacks and breaches. Most recently, there’s been another mega breach at T-Mobile (37 million customers affected this time), the theft of source code and ensuing $10 million ransom demand from video games developer Riot Games, and the inadvertent exposure by an airline of the US government’s No Fly List, a roll call of suspected terrorists, from 2019.

The LastPass situation is also continuing to evolve following the November breach of its password vaults in November, with the latest update from the beleaguered password manager admitting that “a threat actor exfiltrated encrypted backups from a third-party cloud storage service”.

While rival services will no doubt spy an opportunity to grow their market share given the market leader’s reputational crash, the hack is also perhaps bringing unprecedented scrutiny to the hitherto highly regarded field. Indeed, The Daily Swig recently reported on how several popular password managers auto-filled credentials on untrusted websites, while Bitwarden responded to renewed criticism of its encryption scheme by enhancing its default security configuration.

A fruitful security audit of Git’s source code is another notable story we covered since the last edition of Deserialized.

Here are some more web security stories and other cybersecurity news that caught our attention in the last fortnight:

**Web vulnerabilities**

*   OpenText / Critical / Pre-auth RCEs via cs.exe and Java frontend plus multiple post-authentication vulnerabilities / Disclosed with patch January 17
*   Rancher API / Critical / A patch rolled out in September 2022 failed to stop secrets, encryption keys, and SSH keys from being stored in plaintext directly on Kubernetes objects like Clusters / Disclosed and patched January 26
*   Tiki Tiki CMS / Critical / Unauthenticated attackers could execute arbitrary code by combining CSRF with PHP object injection in the popular open source, wiki-based CMS / Patched August 23, disclosed January 9
*   VMware vRealize Log Insight / Critical / Directory traversal, broken access control, deserialization, information disclosure vulnerabilities / Disclosed with patch January 24
*   Zoho manageEngine / Critical / PoC and in-the-wild exploitation raises the stakes regarding patching on premise Zoho ManageEngine products against this RCE vulnerability after a surfaced / Disclosed and patched October 27

**Research and attack techniques**

*   Vulnerabilities in popular open source health records and medical practice management platform OpenEMR allowed remote attackers to execute arbitrary system commands on any OpenEMR server and to steal sensitive patient data – and worse still, remote code execution (courtesy of Sonar)
*   Jerry Shah recounts how he found an API misconfiguration on a SwaggerUI endpoint in an unnamed web application on a private bug bounty program that leaked the authorization token from local storage
*   ChatGPT lowers the barriers to entry for threat actors with limited programming or technical skills, but state-backed miscreants are unlikely to gain operational efficiencies from the unnervingly sophisticated chatbot tool, according to Recorded Future
*   Maksym Yaremchuk – number 80 on HackerOne’s all-time leaderboard, no less – details a pair of critical severity account takeover exploits fashioned during an engagement with a private bug bounty program
*   GitHub researcher Man Yue Mo achieves arbitrary kernel code execution and root on a Google Pixel 6 mobile phone from an Android app

ChatGPT lowers the barriers to entry for cybercrime but is of little use to state-backed cybercrooks

**Bug bounty / vulnerability disclosure**

*   Security researchers can mathematically prove the existence of a software vulnerability without revealing details that in the wrong hands could lead to malicious exploitation, explains a recent New Scientist feature (paywall)
*   Intigriti has penned a blog post on the safe harbor clause for researchers created by the Belgian Act on the Protection of Whistleblowers
*   The Daily Swig recently reported on the upcoming third annual Hack The Pentagon challenge, CORS misconfigurations at Tesla and other, unnamed programs earning researchers a “few thousand dollars”, and Google Cloud Platform (GCP) project vulnerabilities netting researchers more than $22,000
*   Other recent writeups include a $3,000 bounty for a reflected XSS in Microsoft Forms, while Bug Bounty Switzerland’s inaugural ‘vulnerability of the month’ related to a time-limited private program and thousands of appliances exposed to the internet
*   Bug hunter interviews with British hacker and YouTuber ‘InsiderPhD’ and ‘TodayIsNew’ have been published by HackerOne and Bugcrowd, respectively

**New open source infosec/hacking tools**

*   Gato – or GitHub Attack Toolkit – evaluates the impact of compromised personal access tokens within GitHub development environments. Enables tracking of public repos that use self-hosted runners, which GitHub recommends are only deployed in private repos because otherwise “forks of your public repository can potentially run dangerous code on your self-hosted runner machine by creating a pull request that executes the code in a workflow”
*   Highlighter And Extractor (HaE) – Paris-based crowdsourced security platform YesWeHack has released a Burp Suite extension that collects, categorizes, and highlights requests and/or responses to help detect vulnerable code patterns, errors, reflections, and more in a passive enumeration process
*   PyCript – Another Burp Suite extension, this time allowing the bypassing of client-side encryption via custom logic for manual and automation testing with Python and NodeJS
*   SeeProxy – Golang reverse proxy with CobaltStrike malleable profile validation
*   CVE-2022-47966 Scanner – Assess your exposure to the critical RCE bug affecting at least 24 on-premise ManageEngine products and currently being actively exploited

**More industry news**

*   NIST trails potential updates (PDF) to the NIST Cybersecurity Framework and invites the infosec community to offer feedback
*   In other US federal agency news, the NSA issues IPv6 security guidance (PDF), CISA updates best practices for mapping to Mitre Attack Framework (PDF), and CISA, NSA, and MS-ISAC jointly warn (PDF) of malicious use of legitimate remote monitoring and management (RMM) software
*   Google documents progress on leveraging case randomization of DNS query names sent to authoritative nameservers in order to mitigate the impact of cache poisoning attacks
*   Google also follows through on its intention to drop TrustCor Systems as a root certificate authority (CA) for Chrome, confirming a timetable for ceasing to recognize its certificates
*   Cloud-based cyber-attacks jump 48% year on year as malicious hackers spy opportunities in digital transformation trend – Check Point report

PREVIOUS EDITION Deserialized web security roundup – Slack and Okta breaches, lax US government passwords report, and more

Deserialized web security roundup: ‘Catastrophic cyber events’, another T-Mobile breach, more LastPass problems

Security vulnerability was one of Meta’s top bugs of 2022

Emma Woollacott 27 January 2023 at 11:50 UTC

Security vulnerability was one of Meta’s top bugs of 2022

  

Meta has patched a vulnerability in Facebook that could have allowed an attacker to bypass SMS-based two-factor authentication (2FA).

The bug – which earned its finder a $27,200 bounty – did this by confirming the targeted user’s already-verified Facebook mobile number using the Meta Accounts Center in Instagram.

It exploited a rate-limiting issue in Instagram that enabled an attacker to brute force the verification pin required to confirm someone’s phone number.

Read more of the latest news about web security vulnerabilities

Meta gave users the option of adding their email and phone number to both their Instagram and linked Facebook account, which can be verified through a six-digit code sent by email or SMS.

However, any random six digits can be entered and the request intercepted using a web proxy such as Burp Suite.

“Then, send the above request to the intruder and insert placeholder in the value in order to brute force the confirmation code,” Gautam wrote in his blog post.

“Since, there was no rate-limit protection at all in this , anyone could bypass the contact points verification.”

The endpoint verifying the code was also vulnerable to lack of rate-limit protection says Kathmandu-based security researcher Manoj Gautam, who found the bug.

“Since there was no rate limit protection at all while verifying any contact points – email or phone – an attacker just knowing the phone number could add the victim’s 2FA-enabled phone number in his or her Instagram-linked Facebook account,” Gautam tells The Daily Swig.

“Once the attacker adds the victim’s 2FA-enabled phone number \[to\] his Instagram-linked Facebook account, then the 2FA will be turned off or disabled from the victim’s account.”

**Bug patched**

Gautam first reported the issue to Meta on September 14, which fixed it on October 17. The company declared it to be one of the most impactful bugs to have been found during 2022 and awarded a $27,200 bounty – eventually.

“Initially I wasn’t convinced with their bounty decision because it was just $3000. Later, they replied saying to issue the additional bounty amount that will reflect the maximum potential impact in addition to the value of the bug I initially reported,” he says.

“Finally, after 92 days of the report being submitted, I was awarded additional bounty as per new payout guidelines for 2FA bypass. All in all, it was worth waiting for more than 90 days, and I received the highest bounty reward from Facebook.”

YOU MAY ALSO LIKE Ruby on Rails apps vulnerable to data theft through Ransack search

Facebook two-factor authentication bypass issue patched

Several applications were vulnerable to brute-force attacks; hundreds more could be at risk

Several applications were vulnerable to brute-force attacks; hundreds more could be at risk

Poor integration of the Ransack library into Ruby on Rails (RoR) applications could allow attackers to steal information from backend databases, security firm Positive Security has warned.

Ransack allows developers to add object-based search to their Rails applications. Its convenience and flexibility have made it both widely used and problematic, at least from a security perspective.

**Traversing objects through search**

By default, Ransack supports query conditions for associated objects. For example, if you’re running a query on a page that lists blog posts, you can include conditions about the post’s author through its association with the blog object.

Ransack also supports very useful commands that can be appended to field names to filter the results with operators such as ‘starts with’ or ‘contains’. However, used without guardrails this feature can enable malicious actors to easily traverse domains to reach backend database systems.

For example, an attacker can go from the posts table to the users table and try to guess the password hash of a user. The filtering operators enable the miscreant to speed up the process by guessing the hash value one character at a time. A single bcrypt password hash can be extracted within a few minutes and with less than 2,000 requests, the Positive Security researchers found.

YOU MAY ALSO LIKE Trellix automates tackling open source vulnerabilities at scale

“It is a feature, and the problem is with how web applications use this feature, namely invoking the Ransack search function with unrestricted user input as parameters,” Lukas Euler, managing director at Positive Security, told The Daily Swig. “However, the library documentation explicitly recommends this way of using the library.”

A notice was added to the Ransack documentation recently, warning users that “searching and sorting are authorized on any column of your model”. The warning was added after a public discussion began about this problem on GitHub.

**Exploiting Ransack search in the wild**

The researchers found hundreds of potentially vulnerable sites by searching for Ransack patterns in URL datasets. Although they could not verify every single candidate, they were able to confirm the vulnerability in dozens of websites.

“A common pattern we used when exploiting the issue was to use a publicly exposed search feature to look for association chains from the searchable data class to sensitive attributes of the application's user class,” Euler said.

Their most alarming finding was the ability to use Ransack to take over administrator accounts. For example, in fablabs.io, a platform for sharing scientific knowledge, Ransack search queries could give access to the superadmin user’s password reset token (which, due to another poor design decision, did not expire and could be reused).

Catch up with the latest secure development news

“Having access to admin user accounts allowed us to conveniently read and manipulate all of the application's private data for two of the Ruby on Rails applications we tested,” Euler said.

Other popular applications that were found vulnerable include CodeOcean, Pageflow, Active Admin, and openSUSE Travel Support Program.

The issue has been remediated in all of these projects apart from, it seems, Active Admin, whose vendor, Tidelift, apparently failed to respond to Positive security’s emails. However, a Tidelift representative did respond to our email about the flaw, saying they were unaware of the issue and would investigate.

**Other technologies vulnerable**

In previous work, the researchers had found similar issues in an application that used Hasura, a GraphQL server platform. They were able to extract admin session tokens through a multi-step association chain across different objects.

“Libraries and frameworks generally evolve over time to add more and more features that are often enabled by default, while also trying to keep the integration and usage for simple use cases easy for developers,” Euler said. “As a result, developers often inadvertently integrate many more additional features and attack surface than they expect.”

The lesson, Euler says, is to always research the full feature range of the libraries and frameworks you're using and take steps to minimize your attack surface by disabling anything you don't need.

“This is not exclusive to Ruby on Rails, but RoR might be even more prone to issues like this than other frameworks due to its emphasis on ‘Convention over Configuration’ and making powerful features available behind simple API interfaces,” Euler said.

YOU MAY ALSO LIKE RubyGems trials 2FA-by-default in code repo’s latest security effort

Source

PortSwigger