Deserialized web security roundup: Algolia API key leak, GitHub CVE reporting, scoring CVSS scores

2 years ago 259
BOOK THIS SPACE FOR AD
ARTICLE AD

Adam Bannister 02 December 2022 at 17:19 UTC
Updated: 02 December 2022 at 17:20 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

Deserialized web security roundup - Algolia API key leak, GitHub CVE reporting, scoring CVSS scores

Our inaugural web security roundup begins with the news that thousands of applications were found to be leaking API keys for Algolia.

Algolia technology is used by the likes of Lacoste, Stripe, and Slack, to incorporate search, discovery, and recommendations into web, voice, and mobile applications.

Researchers from CloudSEK found 1,500 apps leaking Algolia API keys, 32 of which had hardcoded keys that could allow attackers to steal or delete the data of millions of users. Vulnerable data included IP addresses, access details, and analytics data.

Meanwhile, maintainers of open source repositories can now receive private vulnerability reports, remediate them, and issue CVEs via GitHub, the Microsoft-owned software development platform announced at the GitHub Universe conference.

The news went down well with at least one infosec pro, with vulnerability researcher and The Daily Swig interviewee Alex Chapman calling it an “amazing feature”.

Staying with vulnerability management, the US Cybersecurity and Infrastructure Security Agency (CISA) has set out a three-step process for enhancing vulnerability management, including leveraging the vulnerability exploitability exchange (VEX), a form of security advisory index recently featured on The Daily Swig that focuses on the exploitability of flaws within applications.

CISA has also published a study on the effectiveness of the CVSS base score equation that concluded that the metric closely – albeit not perfectly – represents the CVSS maintainers’ expert opinion.

The Daily Swig also recently reported on system config issues in flavor-of-the-month social networking platform Mastodon, Tailscale VPN nodes being vulnerable to DNS rebinding, and how the Go SAML library was affected by an authentication bypass, among other news.

Here are some more web security stories and other cybersecurity news that caught our attention in the last fortnight:

Web vulnerabilities

Apache Commons BCEL / CVE-2022-42920 / CVSS 9.8 / Out-of-bounds writing issue impacting APIs could give attackers greater control of resulting bytecodeApache MINA SSHD / CVE-2022-45047 / CVSS 9.8 / Unsafe Java deserialization / Patched Flarum / CVE-2022-41938 / CVSS 9.0 / cross site-scripting XSS allowed injection of malicious HTML markup using discussion title input, either by creating a new discussion or renaming one / Patched November 21 TiDB / CVE-2022-3023 / CVSS 9.8 / Data source name injection could lead to arbitrary file reads / Patched November 17

Research and attack techniques

Sonar published a three-part series documenting vulnerabilities in IT Infrastructure monitoring tool Checkmk and its NagVis integration. These flaws could be chained to seize control of serversPlatform certificates used to sign system apps on Android builds have been maliciously leaked and used to sign malicious Android apps – “Folks, this is bad. Very, very bad”, tweeted one Android expertSoftware engineer Tom Forbes uncovered a serious oversight by IT firm Infosys whereby a file was accidentally published to PyPi – and accessible for more than a year – containing AWS keys to an S3 bucket potentially containing patient data from Johns Hopkins University

TikTokTikTok is proving a useful vehicle for social engineering


Cybercriminals are tricking TikTok users into downloading malware with the promise of removing invisibility filters from nude photos, Checkmarx reveals – with TikTok videos posted by the attacker gathering over a million views in just two daysHacker extraordinaire Sam Curry revealed that he was part of a team that uncovered 100 vulnerabilities – 50 rated critical – on agricultural equipment supplier John Deere’s security program, with technical details in the pipeline

Bug bounty / vulnerability disclosure

HackerOne’s leading Australian hacker and number 30 on its worldwide leaderboard Shubham Shah has published a deep dive on what it takes to succeed as a bug bounty hunterBelgium-based bug bounty and pen testing platform Intigriti launched a Bug Bounty Calculator, as reported in our monthly Bug Bounty RadarIdaho launched a vulnerability disclosure policy for election websites, becoming the fourth US state to launch a vulnerability disclosure policy, reports Statescoop

New open source infosec/hacking tools

Mi-X – Determines your system’s potential vulnerability to flaws by evaluating runtime execution, configuration, permissions, mitigations, OS, and other relevant variablesGuardDog – Identifies malicious Python packages using Semgrep and package metadata analysisLegitify – Detect and remediate misconfigurations plus security and compliance issues across your GitHub assetsinTheWild – Vulnerability feed that documents reports of CVEs being exploited in the wildAPTRS (Automated Penetration Testing Reporting System) – Python and Django tool for tracking projects and vulnerabilities and creating reports without using DOCX files

For devs

The US’s National Security Agency (NSA) has released guidance (PDF) urging developers to abandon “programming languages that provide little or no inherent memory protection, such as C/C++, to a memory safe language when possible”

RECOMMENDED Critical vulnerability allowed attackers to remotely unlock, control Hyundai, Genesis vehicles

Read Entire Article