Deserialized web security roundup: Algolia API key leak, GitHub CVE reporting, scoring CVSS scores

Adam Bannister

02 December 2022 at 17:19 UTC

Updated: 19 December 2022 at 17:12 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

Our inaugural web security roundup begins with the news that thousands of applications were found to be leaking API keys for Algolia.

Algolia technology is used by the likes of Lacoste, Stripe, and Slack, to incorporate search, discovery, and recommendations into web, voice, and mobile applications.

Researchers from CloudSEK found 1,500 apps leaking Algolia API keys, 32 of which had hardcoded keys that could allow attackers to steal or delete the data of millions of users. Vulnerable data included IP addresses, access details, and analytics data.

Meanwhile, maintainers of open source repositories can now receive private vulnerability reports, remediate them, and issue CVEs via GitHub, the Microsoft-owned software development platform announced at the GitHub Universe conference.

The news went down well with at least one infosec pro, with vulnerability researcher and The Daily Swig interviewee Alex Chapman calling it an “amazing feature”.

Staying with vulnerability management, the US Cybersecurity and Infrastructure Security Agency (CISA) has set out a three-step process for enhancing vulnerability management, including leveraging the vulnerability exploitability exchange (VEX), a form of security advisory index recently featured on The Daily Swig that focuses on the exploitability of flaws within applications.

CISA has also published a study on the effectiveness of the CVSS base score equation that concluded that the metric closely – albeit not perfectly – represents the CVSS maintainers’ expert opinion.

The Daily Swig also recently reported on system config issues in flavor-of-the-month social networking platform Mastodon, Tailscale VPN nodes being vulnerable to DNS rebinding, and how the Go SAML library was affected by an authentication bypass, among other news.

Here are some more web security stories and other cybersecurity news that caught our attention in the last fortnight:

Web vulnerabilities

  • Apache Commons BCEL / CVE-2022-42920 / CVSS 9.8 / Out-of-bounds writing issue impacting APIs could give attackers greater control of resulting bytecode / Disclosed with patch, November 4
  • Apache MINA SSHD / CVE-2022-45047 / CVSS 9.8 / Unsafe Java deserialization / Disclosed with patch, November 15 
  • Flarum / CVE-2022-41938 / CVSS 9.0 / cross site-scripting XSS allowed injection of malicious HTML markup using discussion title input, either by creating a new discussion or renaming one / Disclosed with patch, November 21
  • TiDB / CVE-2022-3023 / CVSS 9.8 / Data source name injection could lead to arbitrary file reads / Disclosed with patch, November 17
  • Research and attack techniques

    • Sonar published a three-part series documenting vulnerabilities in IT Infrastructure monitoring tool Checkmk and its NagVis integration. These flaws could be chained to seize control of servers
    • Platform certificates used to sign system apps on Android builds have been maliciously leaked and used to sign malicious Android apps – “Folks, this is bad. Very, very bad”, tweeted one Android expert
    • Software engineer Tom Forbes uncovered a serious oversight by IT firm Infosys whereby a file was accidentally published to PyPi – and accessible for more than a year – containing AWS keys to an S3 bucket potentially containing patient data from Johns Hopkins University
    • TikTokTikTok is proving a useful vehicle for social engineering

    • Cybercriminals are tricking TikTok users into downloading malware with the promise of removing invisibility filters from nude photos, Checkmarx reveals – with TikTok videos posted by the attacker gathering over a million views in just two days
    • Hacker extraordinaire Sam Curry revealed that he was part of a team that uncovered 100 vulnerabilities – 50 rated critical – on agricultural equipment supplier John Deere’s security program, with technical details in the pipeline

    Bug bounty / vulnerability disclosure

    • HackerOne’s leading Australian hacker and number 30 on its worldwide leaderboard Shubham Shah has published a deep dive on what it takes to succeed as a bug bounty hunter
    • Belgium-based bug bounty and pen testing platform Intigriti launched a Bug Bounty Calculator, as reported in our monthly Bug Bounty Radar
    • Idaho launched a vulnerability disclosure policy for election websites, becoming the fourth US state to launch a vulnerability disclosure policy, reports Statescoop

    New open source infosec/hacking tools

    • Mi-X – Determines your system’s potential vulnerability to flaws by evaluating runtime execution, configuration, permissions, mitigations, OS, and other relevant variables
    • GuardDog – Identifies malicious Python packages using Semgrep and package metadata analysis
    • Legitify – Detect and remediate misconfigurations plus security and compliance issues across your GitHub assets
    • inTheWild – Vulnerability feed that documents reports of CVEs being exploited in the wild
    • APTRS (Automated Penetration Testing Reporting System) – Python and Django tool for tracking projects and vulnerabilities and creating reports without using DOCX files

    For devs

    • The US’s National Security Agency (NSA) has released guidance (PDF) urging developers to abandon “programming languages that provide little or no inherent memory protection, such as C/C++, to a memory safe language when possible”

    RECOMMENDED Critical vulnerability allowed attackers to remotely unlock, control Hyundai, Genesis vehicles

Source link