The automaker closed a hole that allowed a security researcher to gain system administrator access to more than 14,000 corporate and partner accounts and troves of sensitive data.

An ethical hacker found a backdoor in a Web app used by Toyota employees and suppliers for coordinating tasks related to the automaker's global supply chain, gaining control of the global system merely by knowing the email address of one of its users.

Security researcher Eaton Zveare revealed this week that in October, he found the backdoor login mechanism in the Toyota Global Supplier Preparation Information Management System (GSPIMS) Web portal, a site used by Toyota employees and their suppliers to coordinate various business activities. The backdoor allowed him to log in as any corporate user or supplier.

From there he found a system administrator email and logged in to their account, thus gaining "full control over the entire global system," he explained in a blog post about the hack.

Once acting as an administrator, Zveare said he had "full access" to internal Toyota projects, documents, and user accounts, including some of those that belonged to Toyota external partners and suppliers such as Michelin, Continental, Stanley Black & Decker, and Harman.

All in all, the researcher gained read/write access to Toyota's global user directory of more than 14,000 users. Zveare also could access corporate user account details, confidential documents, projects, supplier rankings/comments, and other sensitive data related to those users, he said.

**Significant Supply Chain Threat**

The hack demonstrates once again how a simple, overlooked flaw in an enterprise system can inadvertently give an attacker access to sensitive data and corporate accounts of a company's supply chain. This, in turn, paves the way for malicious activity that affects not only that organization but its entire ecosystem of partners, security experts noted.

Indeed, had a threat actor discovered the issue before him, "the consequences could have been severe," Zveare observed.

The issue could have allowed attackers to create their own user account with an elevated role to retain access should the issue ever be discovered and fixed, or download and leak all the data to which they had access, he said.

They also could have deleted or modified data in a way to be disruptive to global Toyota operations, or crafted a highly targeted phishing campaign to attempt to capture "real corporate login details, which could have exposed other Toyota systems to attacks," Zveare wrote.

The researcher reported the issue to Toyota on Nov. 3 and the company reported back 20 days later that it had been fixed — a speedy response with which Zveare was "impressed," he said.

"Out of all the security issues I have reported so far to various vendors, Toyota’s response was the fastest and most effective," he said.

Zveare revealed his research nearly a year after Toyota suffered a major supplychain breach that subsequently forced it to halt production of all 28 lines of its 14 plants in Japan. On Feb. 22, the company reported a cyberattack causing a "system failure" at supplier Kojima Industries that created problems with its just-in-time production control system.

Fortunately for Toyota, the latest breach was an ethical one and, thanks to Zveare's responsible disclosure, the company could fix it before there was any impact on the company or its partners' business, notes one security professional.

"Not all 'breachers' are as responsible as in this case!" observes Henning Horst, CTO of data security specialists at Comforte AG.

**How It Was Done**

Zveare's journey to finding the backdoor wasn't completely straightforward, he acknowledged in his post. Initially he wasn't even sure if the portal — which he said is an Angular single-page application created by SHI International Corp-USA on behalf of Toyota — was a very important entity for the company.

To access the system, first he had to patch JavaScript code of an initial login screen that asks a user to click on a button to identify with which Toyota business they are affiliated. In a previous incident in which he hacked into the Jacuzzi SmartTub app, this action was all that was needed to achieve full access to the network due to an improperly secured API.

However, the GSPIMS API appeared to be secure, which inspired Zveare to further dig into the application code to see what else might be cooking. What he eventually found was that JSON Web Tokens — or session tokens representing the users' valid authenticated sessions on the website — were being generated based on a user's email without requiring a password.

Zveare Googled for Toyota supply chain users and made an educated guess to formulate the email of someone who he thought would be a user of the GSPIMS portal. "Then I fired off the _createJWT_ HTTP request, and it returned a valid JWT!" he wrote.

His discovery gave him the ability to generate a valid JWT for any Toyota employee or supplier registered in GSPIMS, "completely bypassing the various corporate login flows, which probably also enforce two-factor authentication options," Zveare wrote.

Though the user whose email he accessed the system with did not have system administrator privileges, he eventually searched within the GSPIMS to find the email of someone who did, and using that he gained full control of the system as an administrator.

**A Big-Picture Security Approach**

Enterprises have work to do to in order to block the issue Zveare found, security experts say. For starters, security administrators must take a more holistic approach to security and realize the wider impact their overall security posture — or lack thereof — can have on all of the partners and customers with whom they do business.

"What are perceived as 'internal systems' to organizations, no longer are," Dror Liwer, co-founder of cybersecurity firm Coro said in an email statement to Dark Reading. "With partners, suppliers, and employees collaborating via the Internet — all systems should be considered external, and as such, protected against malicious intrusion."

Developing this big-picture perspective and security strategy is not so simple, as most enterprises already have their hands full managing their own company's risk, notes Lorri Janssen-Anessi, director of external cyber assessments for BlueVoyant.

However, considering how easy it was for Zveare to gain access to a system that serves Toyota's global supply chain, companies need to get their heads around this risk to maintain security across any third party that touches their network, she says.

"What today's organizations should take from the reported vulnerability in Toyota's supplier management network is a firm reminder to look at their own vendor and supplier cybersecurity," Janssen-Anessi says.

Among the key measures to consider include shoring up access control and user account privileges, ensuring that they only provide employees and third-parties with access to the data needed for their particular role, she notes. "This helps to control what data can be accessed in the event of a breach," Janssen-Anessi says.

Indeed, a more data-centric approach overall to security could help enterprises avoid or mitigate a scenario that Zveare demonstrated, Comforte AG's Horst observes. He advises that organizations find ways to protect data as soon as it enters their corporate data ecosystem, thus protecting "the data itself rather than perimeters and borders around the data."

Toyota Global Supply Chain Portal Flaw Put Hacker in the Driver's Seat

By Owais Sultan
Since its launch in August 2020, Instagram Reels has become home to a whopping two billion active users.…
This is a post from HackRead.com Read the original post: How Businesses Benefit from Using Instagram Reels

Since its launch in August 2020, Instagram Reels has become home to a whopping two billion active users. This makes the platform a highly lucrative place to promote brands and businesses.

Instagram Reels works like the now-defunct Vine platform, which was once a thriving short-form video service allowing users to share 6-second-long, looping video clips. However, with Instagram Reels, users can create and upload short-form videos, ranging from 15 to 90 seconds, set to music for their followers.

Because of the sheer success of Instagram Reels, both big and small businesses and popular celebrities are actively using the platform to promote their products and brands. At the same time, cybersecurity companies are using the platform to raise awareness about cyber attacks, critical vulnerabilities, and how unsuspecting victims can protect themselves from the online danger of cybercrime.

**Duration of Instagram Reel for Full Effect**

So how long can an Instagram reel be? As of the 2023 update, an Instagram Reel can be up to 90 seconds long for full effect. Longer Reels can provide more opportunities to showcase products, services, and promotions, but it’s important to keep in mind that attention spans are short on social media, therefore it’s best to keep Reels concise and engaging.

**Improved Brand Awareness**

Instagram Reels provide a platform for companies to showcase their brands’ personalities and values. Companies can use Instagram Reels to showcase their products in action, share behind-the-scenes glimpses of their business, and give viewers a taste of the company’s unique culture.

This can help companies build a strong brand image and increase brand awareness. Google, with its 13 million followers, is using Instagram Reels to do just that.

**Cost-Effective Advertising**

Reels provide a cost-effective advertising option for companies, especially for small businesses with limited advertising budgets. What’s best: Reels can be created using a smartphone and do not require editing software or hiring someone skilled at editing videos and recording videos.

Besides, companies can reach a large audience with a fairly small budget, as they can promote their Reels to reach a wider audience through Instagram’s advertising platform.

**Takeaway**

In conclusion, Instagram Reels offers companies a variety of benefits for their marketing and advertising efforts. From increased visibility and engagement to improved brand awareness and increased sales, companies have a lot to gain from using Reels on Instagram.

As a business owner or someone trying to become a social media influencer, take advantage of Instagram Reels to reach a large audience, increase engagement with your followers, and eventually grow your business plus your online presence.

1.  How to Increase Your Views on Instagram
2.  Instagram Account Hacked? Recover it now!
3.  Instagram Growth Tools: Are They Still Relevant?
4.  Why you must install & use Instagram story saver
5.  Facebook, Instagram & WhatsApp Bug Bounty: $40k

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

How Businesses Benefit from Using Instagram Reels

Open Redirect in GitHub repository btcpayserver/btcpayserver prior to 1.7.6.



**Description**

Hello Team while testing the "returnUrl=" parameter on login page it was not vulnerable, but I found another way to get Open Redirect with that parameter

**Proof of Concept**

    Here is the Video POC of this vulnerability
    https://drive.google.com/file/d/1UNnRv-E0bwcWWSFSOSDLoTGEdkH4cIKd/view?usp=sharing
    
    

**Step to Reproduce:**

1.  Login your account on https://mainnet.demo.btcpayserver.org/login
    
2.  Click the link below
    

https://mainnet.demo.btcpayserver.org/recovery-seed-backup?cryptoCode=BTC&mnemonic=above&passphrase=&isStored=false&requireConfirm=true&returnUrl=//evil.com

3.  Check the "I have written down my recovery phrase and stored it in a secure location"
    
4.  Then click Done
    
5.  You will be redirected to evil.com
    

**Impact**

An open redirect vulnerability exists in the affected products. An attacker could trick a validly authenticated user on the device into clicking a malicious link on the device, resulting in phishing attacks.

CVE-2023-0748: Open Redirect on "returnUrl=" parameter in btcpayserver

Cross-site Scripting (XSS) - Stored in GitHub repository btcpayserver/btcpayserver prior to 1.7.6.



**Description**

Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.

**STEPS\_TO\_REPRODUCE**

    1. Login to your application and create a Store called “Test” make all the other details as default
    2. Navigate to “ Store Settings—>General” Tab 
    3. Under the “Branding” Section there is a “ Choose File” To select a Logo for our Store.
    4. Select “Choose File” Option to Select an Image, Select any “.png” image you want.
    5. Intercept the Post-Request for “Choose File” Option using Burpsuite (MITM-Proxy tool)
    6. Send the above intercepted request to “ Repeater Tab” of Burpsuite.
    7. First delete the Content of uploaded “ png file “ then change the extension from “.png” to “.php” i.e( **filename= "profile-picture.php") and in the Content add the below payload**
    8. Payload: <script>alert(document.domain)</script>
    9. Send this Request after changing the above configuration and “Follow the redirection” in the Burpsuite.
    10. Then Navigate to the Browser and then Reload the Website , you will see that the image is uploaded, but it will not load automatically. So right click on the “store” profile section and choose option “ **open image in new tab**” thus it loads the image in the new tab with our **XSS-Payload POP_UP.**
    

    #NOTE: In order to get how the above steps are done please watch the VIDEO-POC in ascending order for Example
    
    - POC-1
    - POC-2
    - POC-3
    

**Proof of Concept**

    VIDEO-POC
    https://drive.google.com/drive/folders/1VkUcXf1ImfK_fR2y6qhWIlgfZYj8r296?usp=sharing
    

**Impact**

XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. The most severe XSS attacks involve disclosure of the user's session cookie, allowing an attacker to hijack the user's session and take over the account.

CVE-2023-0747: File Upload Type Validation Error lead to Stored XSS in btcpayserver

Five months after AWS customers were alerted about three vulnerabilities, nearly none had plugged the holes. The reasons why underline a need for change.

It's a familiar story: A feature designed for convenience is used to sidestep security measures. In this presentation from Black Hat USA 2021, a pair of researchers show how they found three separate ways to hop between accounts on AWS. Even though fixes for those vulnerabilities were released quickly, the holes reveal that cloud services do not offer the level of isolation expected. The long-term solution may mean changing how the cybersecurity sector handles CVEs.

For the first two isolation breaches, Wiz.io CTO Ami Luttwak and head of research Shir Tamari altered the path prefixes on AWS CloudTrail and Config to allow a user to write to another user's S3 bucket. The third method used the AWS command line to download files from another user's account via the serverless repository.

Sending the logs from several S3 buckets to one is intended for the convenience of an admin who runs several instances, Luttwak and Tamari said in their presentation, "Breaking the Isolation: Cross-Account AWS Vulnerabilities."

"I learned from this behavior that CloudTrail can write to resources that are owned and managed in other accounts," Tamari added. "And for me, a security researcher, there is a concern."

**Customers Notified, So What Happened?**

While Amazon did not have the power to fix the configurations for customers itself — because the fixes involved setting the source account you want, which only the user can decide — it contacted all affected customers to explain the potential problem and how to fix it. Yet when Wiz.io went back after five months, it found that 90% of accounts had not applied the fixes.

Luttwak pointed out that the security team AWS messaged often didn't get the warnings because of the sheer number of accounts they run.

"How do you know this is an important fix to do?" he asked. "And the more we thought about it, the more we understood, this is a big, big problem."

Right now, the system of CVEs allows organizations to check on the latest vulnerabilities, complete with a numerical system of classifying severity and links to vendors' fixes. That works pretty well in most areas of IT. However, cloud vulnerabilities may not get assigned CVE numbers.

"This is because cloud services, as we currently understand them, are not customer controlled," wrote Cloud Security Alliance IT director Kurt Seifried and research analyst Victor Chin. "As a result, vulnerabilities in cloud services are generally not assigned CVE IDs."

**The Amazon Exception**

CVEs take pains to point out that cloud services vulns can indeed receive a CVE ID, as long as the owner of the software is the CVE numbering authority (CNA) reporting them. Rule 7.4.4 says the CNA "may" assign a CVE number if it owns the product or service, even if it is not customer controlled and the fix requires customers to take action.

But here's the sticky wicket: Rule 7.4.5 states, "CNAs MUST NOT assign a CVE ID to a vulnerability if the affected product(s) or service(s) are not owned by the CNA, and are not customer controlled."

In short, the real reason why these AWS vulnerabilities were not issued CVEs is that Amazon is not a CNA partner. Microsoft can issue CVEs for its own products and services, as can Google. Whether the appropriate fix is changing the rules to allow any CNA to assign IDs to vulns whose fixes are out of customers' hands or to sign up Amazon as a CNA depends on your perspective. In June 2022, Wiz.io took matters into its own hands by establishing a community database of cloud vulnerabilities to fill the gap.

As Luttwak said, "There's hundreds of services in AWS, and many of them are getting more and more cross account capabilities, because cross account is the main strategy today for organizations using AWS. So the attack surface is just growing."

Why Some Cloud Services Vulnerabilities Are So Hard to Fix

Categories: News
Tags: stalkerware

Tags:  mobile

Tags:  device

Tags:  NYAG

Tags:  monitoring

Tags:  New York

Tags:  app

Tags:  developer

We take a look at news that the NYAG has penalised developers of stalkerware-type apps, and the ramifications for those developers further down the line.



(Read more...)




The post Stalkerware-type app developers fined by NY Attorney General appeared first on Malwarebytes Labs.

Stalkerware is a huge problem when it comes to intrusion into people’s personal lives. “Friends”, strangers, family members, abusive spouses and many more can potentially dabble in this malignant pastime and cause all manner of trouble for their target.

Thanks to the New York Attorney General’s office, some folks will shortly be made aware of a little extra something lurking on their devices, after it landed a developer with a $410,000 fine and a requirement to notify people that their devices are running monitoring software. 

**A wealth of personal information**

As far as the apps in question go, the release \[PDF\] explains what they can get up to without the device owner’s knowledge. This is a long extract, but it’s important to get a feel for just how much the device owner gives up privacy without knowing about it:

> "Once installed on a Target Device, the Spyware App will copy information from the Target Device and transmit it to Respondents’ servers, where the information is made available for viewing by the purchaser of the Spyware App. Information copied and transmitted by Respondents’ Spyware Apps includes: call logs (including phone number, date, and call duration); text messages (including message content, date, and recipient); camera images and videos (including the image or video itself and date taken); location (including current latitude and longitude of the device); Gmail data (including an excerpt/snippet of the email message content, email subject, sender and recipient email address, and date); WhatsApp messages (including message text, sender, and date); Skype data (including message content, sender, and date); Facebook, Instagram, and Twitter data (including direct message content, date, and sender); and Google Chrome data (including browser history with URL and dates visited). "

Up until October 2021, which brought changes to both iOS and Android, these apps could have their icon hidden by whoever was in control of the app. All data grabbed by the app could be viewed by the controller via a web dashboard. This data was organised in a way which made it easy for the spyware controller to browse at leisure.

**Of ads and reviews**

On top of all of this, the respondents “misrepresented the legal risks of using the spyware products for covert spying”. In other words: Websites and adverts promoted use of these tools in a positive light, with no clear references to how you could land yourself in legal hot water by using them. It’s all “catching your cheating partner in the act” and “relationship advice”, and not “covert spying on people without their permission could well be illegal in your region”.

Last but not least, there was no indication of affiliation with supposedly independent third-party review websites covering the spying tools in question. If this all sounds like a recipe for disaster for the app developers, you’d be right. The real shame is that some of these tools have been available since “at least” 2011. Better late than never?

**All's well that ends well?**

This isn’t a one and done issue. Correct and proper notification on devices where these installations reside in the future must take place:

> "In addition, Hinchy’s companies must modify the apps and software so that the owner of the device being monitored is notified and informed of the types of information collected by the app or software and made available for viewing by the user of the product. The agreement further requires Hinchy and his companies to make accurate disclosures regarding endorsements, rooting and jailbreaking requirements, refund policies, and data security."

With no real way to dodge proper notification, this is a serious blow to software which is heavily reliant on being as invisible as possible. We can only hope that this gives some more app developers pause for thought. 

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Stalkerware-type app developers fined by NY Attorney General

By Deeba Ahmed
The refutation came days after Europe and North America were rattled by ESXiArgs Ransomware attacks.
This is a post from HackRead.com Read the original post: VMware Disputes Old Flaws at Root of ESXiArgs Ransomware Attacks

Edward Hawkins, the High-Profile Product Incident Response Manager at VMware, has refuted claims that two-year-old vulnerabilities have been exploited in the ongoing ESXiArgs ransomware attacks.

Over the weekend, reports emerged about cybercriminals exploiting a two-year-old vulnerability in virtualization services provider VMware in a ransomware campaign. French CERT (Computer Emergency Response Team) **said** the campaign has been active since February 3rd, 2023.

Moreover, Italy’s ACN (National Cybersecurity Agency) **issued** a warning about a large-scale ransomware campaign. The agency noted that attackers were aiming to target thousands of organizations across Europe and North America.

It was also reported that VMware’s ESXi servers were vulnerable, as these had not been patched against a remotely exploitable flaw discovered in 2021. Attackers compromised the server and added a ransomware variant called ESXiArgs.

For your information, ESXi is VMware’s hypervisor technology, which allows organizations to host multiple virtualized computers running multiple operating systems on a single physical server.

The vulnerability is tracked as **CVE-2021-21974** and assigned a CVSS rating of 8.8. It is an OpenSLP heap-based buffer overflow flaw, which an unauthorized actor can exploit to gain remote code execution. A fix for it was released on February 23, 2021, by VMware.

However, on Monday, VMware denied the news and stated they could not find any evidence that threat actors were trying to leverage a zero-day in its software in a worldwide active ransomware campaign.

“Most reports state that End of General Support (EoGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs),” said Edward Hawkins, the High-Profile Product Incident Response Manager at VMware in a **blog post**.

The company has advised its customers to upgrade to its latest vSphere components release to mitigate the threat. Furthermore, the company recommends disabling the OpenSLP service in ESXi. It is worth noting that the service was disabled by default in ESXi 7.0 U2c and ESXi 8.0 GA, shipped in 2021.

According to GreyNoise data, 19 unique IP addresses have attempted to exploit the ESXi vulnerability since February 4, 2023. Eighteen IP addresses were classified as benign, whereas one instance of malicious exploitation of the issue was reported in the Netherlands.

The intrusion involved exploiting the already-susceptible ESXi servers, which were exposed to the internet on the OpenSLP port 427. The victims were asked to pay 2.01 Bitcoin or $45,990 in exchange for the encryption key for file recovery. But so far, there are no reports of data exfiltration.

The alleged ESXiArgs ransomware (Source: DarkFeed)

The U.S. CISA is investigating the ESXiArgs campaign. According to the agency’s spokesperson, they have collaborated with private and public sector partners to analyze the impact of the reported incidents and offer assistance where required.

“Any organization experiencing a cybersecurity incident should immediately report it to CISA or the FBI,” they added.

1.  **Shipping Software Hit by Ransomware Attack**
2.  **Royal Ransomware Spreading Through Google Ads**
3.  **COVID-19 Tracking App Drops Punisher Ransomware**
4.  **Ransomware Gang Leaks Medibank Data on Dark Web**
5.  **US Charges Iranian Hackers Over Ransomware Attacks**

VMware Disputes Old Flaws at Root of ESXiArgs Ransomware Attacks

Onedev is a self-hosted Git Server with CI/CD and Kanban. In versions prior to 7.9.12 the algorithm used to generate access token and password reset keys was not cryptographically secure. Existing normal users (or everyone if it allows self-registration) may exploit this to elevate privilege to obtain administrator permission. This issue is has been addressed in version 7.9.12. Users are advised to upgrade. There are no known workarounds for this vulnerability.

@@ -1,41 +1,7 @@ package io.onedev.server.model;  
import static io.onedev.server.model.User.PROP\_ACCESS\_TOKEN; import static io.onedev.server.model.User.PROP\_FULL\_NAME; import static io.onedev.server.model.User.PROP\_NAME; import static io.onedev.server.model.User.PROP\_SSO\_CONNECTOR;  
import java.util.ArrayList; import java.util.Collection; import java.util.LinkedHashMap; import java.util.LinkedHashSet; import java.util.List; import java.util.Optional; import java.util.Stack; import java.util.stream.Collectors;  
import javax.annotation.Nullable; import javax.persistence.CascadeType; import javax.persistence.Column; import javax.persistence.Entity; import javax.persistence.Index; import javax.persistence.Lob; import javax.persistence.OneToMany; import javax.persistence.Table;  
import org.apache.commons.lang3.RandomStringUtils; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.subject.PrincipalCollection; import org.apache.shiro.subject.SimplePrincipalCollection; import org.apache.shiro.subject.Subject; import org.eclipse.jgit.lib.PersonIdent; import org.hibernate.annotations.Cache; import org.hibernate.annotations.CacheConcurrencyStrategy; import javax.validation.constraints.NotEmpty;  
import com.fasterxml.jackson.annotation.JsonIgnore; import com.google.common.base.MoreObjects;  
import edu.emory.mathcs.backport.java.util.Collections; import io.onedev.commons.utils.ExplicitException; import io.onedev.server.OneDev; @@ -51,12 +17,28 @@ import io.onedev.server.model.support.issue.NamedIssueQuery; import io.onedev.server.model.support.pullrequest.NamedPullRequestQuery; import io.onedev.server.security.SecurityUtils; import io.onedev.server.util.CryptoUtils; import io.onedev.server.util.facade.UserFacade; import io.onedev.server.util.validation.annotation.UserName; import io.onedev.server.util.watch.QuerySubscriptionSupport; import io.onedev.server.util.watch.QueryWatchSupport; import io.onedev.server.web.editable.annotation.Editable; import io.onedev.server.web.editable.annotation.Password; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.subject.PrincipalCollection; import org.apache.shiro.subject.SimplePrincipalCollection; import org.apache.shiro.subject.Subject; import org.eclipse.jgit.lib.PersonIdent; import org.hibernate.annotations.Cache; import org.hibernate.annotations.CacheConcurrencyStrategy;  
import javax.annotation.Nullable; import javax.persistence.\*; import javax.validation.constraints.NotEmpty; import java.util.\*; import java.util.stream.Collectors;  
import static io.onedev.server.model.User.\*;  
@Entity @Table( @@ -68,8 +50,6 @@ public class User extends AbstractEntity implements AuthenticationInfo {  
private static final long serialVersionUID = 1L;  
public static final int ACCESS\_TOKEN\_LEN = 40;  
public static final Long UNKNOWN\_ID = -2L;  
public static final Long SYSTEM\_ID = -1L; @@ -117,7 +97,7 @@ protected Stack<User> initialValue() {  
@Column(unique\=true, nullable\=false) @JsonIgnore private String accessToken = RandomStringUtils.randomAlphanumeric(ACCESS\_TOKEN\_LEN); private String accessToken = CryptoUtils.generateSecret();  
@JsonIgnore @Lob

CVE-2023-24828: Fix issue #1179 - OneDev should use crypto strong random string for a… · theonedev/onedev@d67dd96

Hackers can't steal a credential that doesn't exist.

The rise of the cloud has made business more agile, flexible, and streamlined, which is why over 90% of enterprises has committed to a multicloud strategy. But complexity creates seams where secrets leak out. Recent high-profile breaches at Microsoft and airports have made misconfigured S3 buckets a cybersecurity trope. However, configuration issues aren't the only problem: access creep is just as dangerous, and common, according to recent figures.

Overprivileging happens when a service or account requests or requires all the permissions it might possibly ever use, usually in order to avoid having to go back and request new permissions if the need arises later. This would not be a not great situation even at a single-server level, but as various services and vendors interact, each granted its own high level of permissions, the chance of compromise builds.

In its end-of-year summary for 2022, cloud security company Permiso reported that cloud security posture management (CSPM) vendors use only a fraction of the permissions they are granted: just more than 1/10th, or 11%. This shrinks to 5.3% across all users and roles. That's a lot of unlocked doors that nobody needs to open.

The results of its analysis jibe with the results from a CloudKnox survey from two years ago, which found that 90%-95% of identities on AWS, Azure, Google Cloud Platform, and vSphere use no more than 2%-5% of the permissions granted.

"Most teams assume that these secrets are only being used by the individuals or workloads they have been provisioned to, but in reality, these secrets are often shared, rarely rotated, are long-lived and not single-use, so just like passwords, they become more vulnerable as they age," the Permiso team wrote.

And therein lies the problem. Organizations are usually pretty strict about setting up permissions for human users, but they tend to allow the requested default permissions for machine identities. This leads to a situation in which threat actors need only find a way into one overly broadly permissioned account in order to gain privileged access over much of the corporate cloud. "You may have your database perfectly locked down, but if a service that has access to that database has the permissions for anyone to get in, your database is as good as compromised," Kendall Miller, president of Kubernetes governance service FairWinds, warned in 2021.

And for the year 2022, Permiso flatly declared, "All of the incidents we detected and responded to were a result of a compromised credential," rather than a misconfigured cloud resource.

The key to managing this risk is to audit permissions and institute strong identity access management (IAM) policies for all users, not just humans. That begins with determining what data an application actually needs access to — and what it doesn't. A software org chart might prove helpful in tracing out the routes of access among apps and assigning or restricting permissions.

Cloud Apps Still Demand Way More Privileges Than They Use

Directory Traversal vulnerability in AdminLTE 3.1.0 allows remote attackers to gain escalated privilege and view sensitive information via /admin/index2.html, /admin/index3.html URIs.

This gist text file is reserved for CVE-2021-36471 which is yet to be published. Following are the description and references for the assigned CVE so that Mitre team can assess.

Vulnerability Type :

Directory Traversal

Affected Component :

Privilege escalation, compromise of admin account

Attack Type :

Remote

Impact Escalation of Privileges :

True

Impact Information Disclosure :

True

Attack Vectors :

Traverse to /admin/index2.html , /admin/index3.html

Discoverer :

https://www.linkedin.com/in/cyb3rs4k1/

References :

https://wpkixx.com/html/admo-admin/index2.html

http://baituljannah.sch.id/assets/admin/index2.html

https://marix.live/admin/index2.html

http://infobanjir.plsm.water.gov.my/admin/index3.html

https://doevent.uz/admin/index2.html?attempt=1

https://p2p.wrox.com/sharepoint-admin/index2.html

Vendor of Product :

AdminLTE

Affected Product Code Base :

AdminLTE Bootstrap Admin Dashboard Template AdminLTE 3.1.0

Description :

This vulnerability can be searched by using the google dork 'inurl:"/admin/index2.html"' or 'inurl:"/admin/index3.html"' (without single quotes).

AdminLTE dashboards have index2.html/index3.html in their products. Using this we can search for the AdminLTE templates which are being used in websites.

Google will list out websites provided with public facing AdminLTE dashboards which are accessible over the internet.

Reference URLs for the few affected websites with the adminLTE template are listed in references above.

CVE-2021-36471: This gist text file is reserved for CVE-2021-36471 which is yet to be published. Following are the description and references for the assigned CVE so that Mitre team can assess.

Tag

#google