Security Roundup - 2018-01-18

Vulnerability Breach Disclosure. Troy Hunt is apparently sitting on hundreds of potential data leaks. Biggest problem he faces here? Wanting to privately disclose the information to impacted companies before going public with the disclosure. With that in mind, he has written up a series of escalations he has in mind to streamline the process on his end.

Blockchain Graveyard. Interested in security and cryptocurrency? You may be interested in the Blockchain Graveyard a site collecting security incidents around cryptocurrencies.

Passphrase collision in blockchain network. Lisk, a minor blockchain network, has had to notify users about the possibility about collisions in passphrases and keys that could in theory lead to someone gaining control of their account and stealing funds. The security researcher behind these findings has also published a rundown of the problem.

Mozilla announces further steps in security. Mozilla has announced that all future new features will be restricted to security contexts. Secure Contexts are a feature in which there is a reasonable confidence that content has been delivered securely, rather than potentially being Man in the Middled. Firefox hopes that this will help usher in yet more increased adoption of HTTPS.

CyberSecurity exit for malware author. Cybersecurity has seen its latest exit with Exobot’s author deciding to get out of the rental business and straight up sell the source code. Security researchers are generally worried that this will lead to another Mirai type scenario where the source will end up public, lowering the bar of entry for a certain number of attacks.

Bug Bounty Triage. Thinking about running a bug bounty? HackerOne provides some tips on how to think about triage and prioritization.

Pixel Remote Exploit Chain Discovered. While the Pixel phone survived 2017’s Mobile Pwn2Own competition in 2017, the team celebrates their first remote exploit, paying out more than 100K through their bug bounty (their highest bounty yet!). The bug leverages a chain of vulnerabilities, starting with WebAssembly and managing to break out of the mobile Chrome sandbox. Full details are in the link.

Directory listing to account takeover. Or perhaps better labeled ‘Why Configuration Matters’, after one security expert finds an open directory listing which includes webhook logs for a companies email provider. Unfortunately, said logs happened to include password reset links for customers, allowing the researcher to trigger a password reset and use the logs to effectively take over any account.

Written on January 18, 2018