Loom Disclosure, GitHub 2FA, Buffer Overflow in TPM, Dropbox Career Framework – ASW #232
Loom provides transparency on mishandling cookies, GitHub moves to require 2FA, TPM reference implementation includes a buffer overflow, Dropbox shares their security engineer ladder, multiple flaws in a smart intercom
Announcements
Security Weekly listeners: Identiverse 2023 is heading to Vegas! Join the digital identity community at the ARIA Resort & Casino in Las Vegas, May 30th to June 2nd. Identiverse is a must-attend annual event that brings together over 2,500 security professionals for 4 days of world-class learning, engagement, and entertainment.
As a community member, you’re able to receive 20% off your Identiverse 2023 tickets using code IDV23-SW20!
Register today: securityweekly.com/identiverse2023
Hosts
- 1. March 7th, 2023 Incident update: cache configuration change leading to account vulnerability
"We care deeply about privacy and security at Loom." -- and this is the kind of incident report you write to demonstrate that. A cache configuration captured session cookies, which then dropped those cookies onto visitors.
The write-up goes through the prep and considerations taken before the cache change, an analysis of what happened despite that prep, and steps to avoid similar problems in the future.
- 2. Raising the bar for software security: GitHub 2FA begins March 13
GitHub starts requiring 2FA starting today. It's a year-long effort during which groups of devs will receive notifications to enable 2FA within a 45-day period.
It's a good step for security and has some nods towards usability, like unlinking an email in case of account lockout so you can reuse the email for a new account.
- 3. Apache Patches Two Important Bugs in Web Server
This is really just notable for an Apache bug surfacing in the news. They've been rare. Looking back at the 2.4 security page, request smuggling has been an ongoing bug class, as has the usual type of memory issues from C.
Last year Apache started down a path with Rust, providing modtls as a replacement for modssl. But it was the Internet Security Research Group that did the work, not the Apache Software Foundation. We'll add this to the list of projects to watch that are migrating away from C, but it's not clear whether there's more to come from httpd.
- 4. VU#782720 – TCG TPM2.0 implementations vulnerable to memory corruption
It's never good to have bugs in the root of a root of trust. Researchers found two. They look to be exploitable and could be used to leak information or escalate privileges.
Notably, the flaws were in reference code. They failed to apply length checks, which could lead to a buffer overflow.
- 5. The Silent Spy Among Us: Modern Attacks Against Smart Intercoms | Claroty
This is another entertaining and informative article. It also reads like a checklist of basic appsec issues -- they just all happen to be within a single app.
- 6. Dropbox Engineering Career Framework – Security Engineer
Dropbox provides their framework for individual contributors on the Security Engineering teams. At the junior levels, there's more weight on technology fluency and threat fluency. In other words, understanding fundamentals of appsec. We'll continue to highlight tools and attacks that would help you gain knowledge and practice in those areas.
- 7. Update on the Enigma Conference from the Enigma Steering Committee
Last week we lamented the end of The Daily Swig. This week we're looking at the end of Enigma.
We had just talked with Adrian Sanabria in episode 228 about his presentation for Enigma and we've covered others in the past. Let us know your favorite conferences for staying on top of appsec trends.
- 8. TOOL: ImageMagick Security Policy Evaluator
Images are everywhere on the web. They're also a great attack vector since many sites allow users to upload arbitrary images and image parsers have had many buffer overflows. Talking about how to secure an image processing pipeline is a good exercise in security architecture, because you can touch on not only the binary that handles images, but how to isolate it from other parts of an app.
ImageMagick's behavior can be influenced by compile-time settings as well as at runtime by its XML-based security policy.
Read the blog post at https://blog.doyensec.com/2023/01/10/imagemagick-security-policy-evaluator.html
- 1. March 7th, 2023 Incident update: cache configuration change leading to account vulnerability
Tl;dr: Loom's CDN sent the wrong session cookies to the wrong people (effectively meaning that people were sort of logging in as other people by lottery)
- 2. How to secure your end-to-end supply chain on GitHub
Securing not only the software that you write, but that you depend on in your supply chain is a hot topic right now. To that end, GitHub wrote many useful guides on how to secure the software supply chain, covering topics like securing your accounts, securing your code in the supply chain, and securing your build system.
- 3. Tool: OWASP Juice Shop
One of the web's least buggy buggy websites, Juice Shop is a vulnerable web application that exists to teach people about application security and pentesting. You can either try to exploit the many vulnerabilities on your own, or choose to use built-in tutorials. You can also configure Juice Shop for CTFs and training courses at your organization.
- 4. Resource: What is a TPM, and Why do I need one?
A great video overviewing what a TPM is, how to check and see if you have one on your computer, what to do if you don't see a TPM listed, and why Microsoft insists on TPM 2.0 to run Windows 11.
- 5. Traveling with OAuth – Account Takeover on Booking.com
A deep, technically rich dive into exploiting security vulnerabilities through the mis-implementation of OAuth on Booking.com's website.
- 1. Importer commits in GitHub Actions
There's a weakness in how GH handles commits from a fork of a repo. As one example, this can be used to make it look like an action is running a legitimate commit, but it's actually from a fork...
- 2. TOOL: OWASP WrongSecrets
Neat project similar to the bad* series of projects that goes through various ways one should not store secrets, and the issues using these methods can cause