Deserialized Web Security Roundup: Algolia API Key Leak, GitHub CVE Reporting, Scoring CVSS Points
Adam Bannister December 2, 2022 at 17:19 UTC
Updated: 2 December 2022 at 17:20 UTC
Your fortnightly overview of AppSec vulnerabilities, new hacking techniques and other cyber security news
Our first cybersecurity roundup begins with the news that thousands of applications were found to be leaking API keys for Algolia.
Algolia technology is used by the likes of Lacoste, Stripe and Slack to incorporate search, discovery and recommendations into web, voice and mobile applications.
CloudSEK researchers found 1,500 apps leaking Algolia API keys, 32 of which had hardcoded keys that could allow attackers to steal or delete the data of millions of users. Vulnerable data included IP addresses, access details and analytics data.
Meanwhile, maintainers of open source repositories can now receive private vulnerability reports, patch them, and issue CVEs via GitHubthe Microsoft-owned software development platform announced at the GitHub Universe conference.
The news went well with at least one infosec pro, with vulnerability researcher and The Daily Swig interviewee Alex Chapman called it a “amazing feature“.
Living with vulnerability management, the US Cybersecurity and Infrastructure Security Agency (CISA) has set up a three-step process to improve vulnerability management, including leveraging the Vulnerability Exploitability Exchange (VEX), a form of security advisory index recently featured on The Daily Swig which focuses on the exploitation of errors in applications.
CISA has also published a study on the effectiveness of the CVSS base score equation that concluded that the calculation closely—though not perfectly—represents the expert opinion of CVSS maintainers.
The Daily Swig also recently reported system configuration issues in the social networking platform of the month Mastodon, Tail scale VPN nodes vulnerable to DNS rebinding and how Go to the SAML library was affected by an authentication bypass, among other things.
Here are a few more cybersecurity stories and other cybersecurity news that caught our attention over the past fortnight:
- Apache Commons BCEL / CVE-2022-42920 / CVSS 9.8 / Out-of-bounds writing issue affecting APIs could give attackers greater control over resulting bytecode
- Apache MY SSHD / CVE-2022-45047 / CVSS 9.8 / Insecure Java Deserialization / Patched
- Flarum / CVE-2022-41938 / CVSS 9.0 / cross site-scripting XSS allowed injection of malicious HTML markup using discussion title, either by creating a new discussion or renaming it / Patched November 21
- TiDB / CVE-2022-3023 / CVSS 9.8 / Data source name injection can lead to arbitrary file reading / Patched November 17
- Sonar published a three-part series documenting vulnerabilities in IT infrastructure monitoring tool Checkmk and its NagVis integration. These bugs can be chained to take control of servers
- Platform certificates used to sign system apps on Android builds have been maliciously leaked and used to sign malicious Android apps – “Folks, this is bad. Very very bad”, tweeted one Android expert
- Software engineer Tom Forbes uncovered a serious oversight by the IT firm Infosys whereby a file was accidentally published to PyPi – and available for more than a year – containing AWS keys to an S3 bucket potentially containing Johns Hopkins University patient data
- Cybercriminals lie TikTok users to download malware with the promise of removing invisibility filters from nude photos, Checkmarx reveals – with TikTok videos posted by the attacker racking up over a million views in just two days
- Hacker extraordinaire Sam Curry revealed that he was part of a team that uncovered 100 vulnerabilities — 50 rated critical — in agricultural equipment supplier John Deere’s security program, with technical details in the pipeline
- HackerOne’s leading Australian hacker and number 30 on its worldwide leaderboard Shubham Shah has published a deep dive into what it takes to succeed as a bug bounty hunter
- Belgium-based bug bounty and pen testing platform Integrity launched a Bug Bounty Calculator, as reported in our monthly Bug Bounty Radar
- Idaho launched a vulnerability disclosure policy for election websites, becoming the fourth US state to launch a vulnerability disclosure policy, Statescoop reports
- Mix – Determines the system’s potential vulnerability to failure by evaluating runtime execution, configuration, permissions, mitigations, OS, and other relevant variables
- Watchdog – Identifies malicious Python packages using Semgrep and package metadata analysis
- Legitimize – Discover and remediate misconfigurations plus security and compliance issues across your GitHub assets
- in the wilderness – Vulnerability feed documenting reports of CVEs being exploited in the wild
- APTRS (Automated Penetration Testing Reporting System) – Python and Django tool to track projects and vulnerabilities and create reports without using DOCX files
- United States National Security Agency (NSA) has released guidance (PDF) urging developers to abandon “programming languages that provide little or no inherent memory protection, such as C/C++, for a memory-safe language whenever possible”
Research and attack techniques
TikTok is proving to be a useful vehicle for social engineering
Bug bounty / vulnerability disclosure
New open source infosec/hacking tools
RECOMMENDED Critical vulnerability allowed attackers to remotely unlock, control Hyundai, Genesis vehicles