Abusing OAuth, State of DevOps, Nightshade and AI, iLeakage, Sandboxing Apps – ASW #261
OAuth implementation failures, the State of DevOps report, data poisoning generative AIs with Nightshade, implementing spectre attacks with JavaScript and WebAssembly against WebKit, sandboxing apps
Announcements
Join us for one of our Identiverse Regional Events, coming up on December 1st in New York City and December 5th in Chicago! Participate alongside local experts and regional peers in information-rich sessions on the latest technologies, best practices, and industry trends.
Secure your complimentary registration at securityweekly.com/idvregionalevents2023
Hosts
- 1. Okta Support System incident and 1Password
Noting this briefly to highlight the how monitoring has been critical in detecting compromises in SaaS providers.
Cloudflare published a similar blog post last week about the Okta incident. They've also now provided an open source HAR sanitizer in response to the technique attackers used to obtain session tokens.
- 2. Oh-Auth – Abusing OAuth to take over millions of accounts
Last week we talked about OAuth and this week we have some more OAuth implementation mistakes.
These stem from not verifying tokens during the OAuth dance. Thus, attackers who were able to insert their own tokens could consequently impersonate others.
It's an example of how a secure design meets an insecure implementation. And leaves us with a thought exercise in how the design might be improved so that token validation isn't just required, but is implemented by default due to the nature of the protocol or its cryptographic properties.
- 3. Common Vulnerability Scoring System Version 4.0
CVSS v4.0 is slated for publication this week. Be ready on November 1st to remember the distinction that CVSS Base metrics represent severity, not risk, and that you can have some CVSS-BE and CVSS-BTS along with that CVSS-B.
- 4. 2023 State of DevOps Report | Google Cloud
Ok, this is the second PDF this month behind a registration wall, but it's a good gauge of where to strive for maturity in your DevOps teams.
This time around I wanted to focus on its attention to user-centrism and quality documentation. User-centric features and approaches to software reap benefits for internal as well as external tools. I'm also a fan of good, concise documentation -- but I also feel like that's an area that is under-recognized and not incentivized in engineering promotion paths.
- 5. This new data poisoning tool lets artists fight back against generative AI | MIT Technology Review
Cyberpunk's aesthetics are cool, but the future behind it is always dystopian. Here's a cyberpunk-esque fight between artists and AI training models where artists are using techniques to subtly poison those models to prevent their work from being co-opted.
Check out the Glaze project that the team also created and will be integrating Nightshade's techniques into.
- 6. iLeakage: Browser-based Timerless Speculative Execution Attacks on Apple Devices
Here's an implementation of a spectre attack in JavaScript and WebAssembly. It works against WebKit (Safari) on recent Apple chips. There are many interesting angles on this, from side-channels to sandboxes to LockDown mode. It's also a reminder that some vulns are difficult to exploit, but can have high impacts and be just as difficult to counter.
Check out the lab's other work on hardware security. It's all very well written and they got a perfect domain name, architecture.fail.
There's a great article from Dan Goodin here.
- 7. DESIGN: Server-side sandboxing: An introduction | Figma Blog
I feel like we haven't been talking enough about software design and design examples. So here's one article to help shift that balance!
It talks about some coarse sandboxing, like VMs and containers, but also covers seccomp.
- 8. When we say “security”, what do we mean?
This is one of the longer articles we've included and it spans quite a bit more than just appsec. But it's an educational read and I like the points it makes when it talks about the framing of security and the anti-patterns of blaming users for clicking on links.
There's a lot more to the article than that, so grab some tea and sit down for a long read.
- 1. New vulns in nginx kubernetes ingress controller
Three critical vulnerabilities were announced last week about the nginx-based ingress controller for k8s. To me, the most significant is the ability to perform arbitrary code execution through injection into a configuration-snippet annotation.
The article link is to one of the three - go up a level in the kubernetes-announce archive and you'll see the others.
- 2. Announcing the Cascade RISC-V CPU fuzzer
The computer security group at the Swiss Federal Institute of Technology in Zurich have created a fuzzer for RISC5 CPUs, and found a 37 new bugs with 29 new CVEs. Besides being Yet Another CPU Fuzzer, what's interesting about this one is it's designed to create code that should execute successfully if there is no issue, whereas in many fuzzers they're a little more willy-nilly in their attempt to crash the target. This means for Cascade, it should be easier for researchers to determine bugs and troubleshoot failure cases
- 3. CONFERENCE: Agile testing days
This landed on my radar from of all places a conversation on Nextdoor. In previous years, they used to do testing competitions, similar to capture-the-flag competitions. This sounds amazing, and I hope they bring it back.
In the meantime, I think almost any of our companies can benefit from working on improving our testing processes, so there's probably lots to learn here.
- 4. Integer Overflow in vim :history command
I don't think this is exploitable, but still I find these type of bugs "fun" when they're found in software packages that have been around for a while.
Patch is at https://github.com/vim/vim/commit/9198c1f2b1ddecde22af918541e0de2a32f0f45a - a little more complex that I would have expected...
- 5. Meta’s automating dead code cleanup
One of the things I like machines for is doing work that humans can't - or shouldn't - do. One example of this might be removing "dead code." Are you SURE that code isn't being used anywhere? Meta's SCARF takes a number of steps like analyzing code graphs and call logs to ensure it's able to say "yes," and then sends a pull request.