Full Segment Notes
Nextauth.js account takeover due to parsing flaw, URL parsing flaw in Go's net/url, another path traversal, Slack exposes password hashes (whaaat!?), Twitter exposes 5.4 million accounts, ransomware and research against PyPI and GitHub, videos from fwd:cloudsec 2022.
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
List of Articles
Mike Shema
- Authentication bypass bug in Nextauth.js could allow email account takeoverA sign-in flow accepted a comma-separated list of email addresses, but treated the list as a single string when applying security checks to it. It's another lesson that generalizes well beyond the specific JavaScript library flaw -- normalize data before making a security decision with it or before passing it through a security boundary.
- ParseThru: HTTP parameter smuggling flaw uncovered in several Go applicationsWe have one standard for parsing URLs, RFC 3986, but many implementations thereof. And, as with all one-to-many mappings of standard-to-implementations, there will be discrepancies. This article shows how a mishandled (i.e., ignored) parsing error due to a semicolon leads to security flaws. It also falls into the recurring theme that while memory-safe languages solve one important class of vulnerabilities, they don't absolve programmers from the responsibility for secure code. Using Go is still a good choice; parsers are notorious for memory-safety issues. This kind of flaw should be an ideal case for fuzzers to identify and help programmers harden their code. Check out the researcher's article at https://www.oxeye.io/blog/golang-parameter-smuggling-attack You can find RFC 3986 at https://datatracker.ietf.org/doc/html/rfc3986#section-3
- CompleteFTP path traversal flaw allowed attackers to delete server filesPath traversal strikes again! These types of flaws are ideal for discussing the importance of normalizing data before applying security checks. Then, once you've handled the complexity of file paths, it's an opportunity to talk about restricting file access. Then, once you've managed to sandbox your filesystem, it's an opportunity to talk about whether that was a good design pattern in the first place. (Ok, probably better to have had this step in the conversation up front.) After all, a cloud datastore like S3 or a local one like sqlite might solve the same feature and be prone to fewer security mistakes.
- A Slack Bug Exposed Some Users’ Hashed Passwords for 5 YearsWhy can a system access password hashes in the first place? Why are we still stuck with authentication based on comparing password hashes? Why are we still sending plaintext passwords so they can be hashed and then compared? Why do we still have passwords!? Slack's disclosure about the event is at https://slack.com/blog/news/notice-about-slack-password-resets WebAuthn is one alternative, http://webauthn.io/. Another is OPAQUE, which avoids having to share a plaintext password with servers in the first place. Check out a good article on it at https://blog.cloudflare.com/opaque-oblivious-passwords/ And, if you want to brush up on digital identities and a reminder why regular password rotation should be a thing of the past, check out NIST-SP800-63 at https://www.nist.gov/identity-access-management/nist-special-publication-800-63-digital-identity-guidelines.
- Twitter confirms January breach, urges pseudonymous accounts to not add email or phone numberA major theme of this episode is classes of flaws. We have a handful on normalization, password handling, and now oracles -- features that leak information about a system or users. These types of flaws become more interesting and more important when you include context about abuse and misuse into their threat models.
- School Kid Uploads Ransomware Scripts to PyPI Repository as ‘Fun’ ProjectThis article plus one related to malicious projects posted to GitHub* are a chance to revisit why I care less about the identity of actors when creating threat models. Plus, if these were exercises in learning or demonstrating impacts for bug bounties, there surely must be better ways of accomplishing these goals. * https://nakedsecurity.sophos.com/2022/08/04/github-blighted-by-researcher-who-created-thousands-of-malicious-projects/
- Nomad just got drained for over $150M in one of the most chaotic hacks that Web3 has ever seen.Cryptocurrency bridges are intended to enable the transfer of tokens between different blockchains. In practice, they're self-funding bug bounties that transfer wealth from insecure code to observant hackers. Fortunately, they occasionally provide useful appsec lessons. In this case, it's about initializing values to zero (usually good), roots of trust (also good), and what happens when those situations come together without proper testing (oops). You can find another article on this at https://nakedsecurity.sophos.com/2022/08/02/cryptocoin-token-swapper-nomad-loses-200-million-in-coding-blunder/
- fwd:cloudsec 2022 videosI haven't had a chance to watch them all and pick out some favorites. Plus, we'll have a slew of presentations coming out of Vegas from DEF CON, BlackHat, and BSidesLV. What favorite presentations have you watched in the past year? What additional resources should we highlight?
John Kinsella
- One of the post-quantum encryption algorithms cracked in an hour on a PC
- Path traversal vulnerability found in Arris routers
- Bug found in CloudFlare email routing
- A teardown of Symbiote finds a bpf rootkit(h/t hackaday)
- A serious question about why “security is so hard in 2022”Very interesting thread on why (mostly) non-security people think security is Hard
