by Bill Sempf
31. January 2021 13:26
a63f5cab-e956-432f-8f5c-afb21053b458|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04
Tags:
by Bill Sempf
24. January 2021 12:58
A very Interesting list of exploitable "features" in PDFs.
https://web-in-security.blogspot.com/2021/01/insecure-features-in-pdfs.html?m=1
There have been a lot of attacks on Azure's authentication system recently - some of which were even in this newsletter. Sparrow helps you smoke out vulnerable instances.
https://github.com/cisagov/Sparrow/
Didier has been a regular in this newsletter, and he has updated his Strings.py tool to support more encoding. Very cool stuff.
https://blog.didierstevens.com/2021/01/24/update-strings-py-version-0-0-7/
Have your kids test your apps.
https://github.com/linuxmint/cinnamon-screensaver/issues/354
Stay safe out there.
881f455d-c0d6-4844-9a9a-bb746d707be5|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04
Tags:
by Bill Sempf
17. January 2021 12:36
Breakdown of a malicious app that man-in-the-middled the Google Signin.
https://blog.usejournal.com/how-i-stole-the-data-in-millions-of-peoples-google-accounts-aa1b72dcc075
Good Wired article about tools the fibby uses to get around smartphone encryption.
https://www.wired.com/story/smartphone-encryption-law-enforcement-tools/
Oh man, cross-origin images and data leakage. Certainly adding this to my manual testing.
https://blog.mozilla.org/attack-and-defense/2021/01/11/leaking-silhouettes-of-cross-origin-images/
This has been patched, but a really good explainer on how the RCE in Office 365 was discovered.
https://srcincite.io/blog/2021/01/12/making-clouds-rain-rce-in-office-365.html
Using game hacking to explain the danger of unsigned code.
https://secret.club/2021/01/12/callout.html
Have a great week folks!
acb4dbef-fdf0-479a-b1f4-c4dfc768d791|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04
Tags:
by Bill Sempf
10. January 2021 13:02
Hey, welcome back from holidays. Quite a week it has been.
Portswigger has a really good writeup of OAUTH 2 vulnerabilities.
https://portswigger.net/web-security/oauth
This isn't so much appsec, but it is really interesting code that hacks a game - Cyberpunk 2077 minigame resolver.
https://github.com/nicolas-siplis/cyberpwned
SolarWinds just keeps on giving.
https://kb.cert.org/vuls/id/843464
Keep on keeping on, folks.
8cefdc35-1067-4ce0-8632-057d66627b59|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04
Tags: