Cyber Security

Deserialized web security roundup – Slack, Okta security breaches, lax US government passwords report, and more

Slack suffered a security breach recently, “involving unauthorized access to a subset of Slack’s code repositories” according to the messaging platform.

The company said that although no customers were affected, an internal investigation revealed that an unknown actor downloaded private code repositories on or around December 27.

“We discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository,” a statement read.

“No downloaded repositories contained customer data, means to access customer data or Slack’s primary codebase.”

Identity management company Okta also fell victim to a breach when an unknown actor accessed its code repositories.

The incident occurred “in early December 2022”, the vendor said, without confirming whether or not any data was stolen.

It did confirm that it “promptly placed temporary restrictions on access to Okta GitHub repositories and suspended all GitHub integrations with third-party applications”.

And over in the US, a government watchdog spent $15,000 to build a password-cracking program – only to discover employees were using easily-guessable credentials all along.

The complicated software, financed by the Department of the Interior, was designed to take on tasks such as recovering hashed passwords.

However it ultimately found that it was able to recover nearly 14,000 employee passwords, – 16% of all department accounts – due to “easily cracked passwords, lack of multifactor authentication, and other failures”.

Among other stories from The Daily Swig in recent days were secure messaging app Threema disputing the seriousness of flaws in its software, developers being urged to rotate secrets in CircleCI due to a security breach, and cross-origin resource (CORSmisconfigurations in the environments of enterprises including Tesla that left internal networks vulnerable.

Here are some other web security stories and other cybersecurity news that caught our attention in the last fortnight:

Web vulnerabilities

Research and attack techniques

  • Researchers from Sonarsource discovered a command injection vulnerability as well as an authentication bypass vulnerability in open source web-based monitoring tool Cacti which allowed unauthenticated exploitation.
  • A malicious Python file found on the PyPi repository adds backdoor and data exfiltration features to what appears to be a legitimate SDK (software development kit) client from security firm SentinelOne, researchers at ReversingLabs have reported.
  • Also concerning PyPi, researcher Tom Forbes found 57 valid AWS keys present on the Python package index belonging to AmazonIntel, and other organizations by scanning new packages with GitHub Actions.
  • A research team from Imperva demonstrated how they discovered a vulnerability in Google Chrome that led to the theft of sensitive files, such as crypto wallets and cloud provider credentials.
  • And Harsh Bothra from Cobalt released this handy write up on how pen testers can spot prototype pollution-style attacks.
  • Researcher Matt Kunze netted a $107,500 bug bounty reward from Google for reporting vulnerabilities in the Google Home Mini smart speaker which allowed him to access the microphone on the device and make arbitrary HTTP requests on the local network.
  • Security firm CloudSek released BeVigil, a tool to enable bug bounty hunters to find and report vulnerabilities in mobile apps.
  • And hacker Jerry Gamblin published this extensive guide on the CVE year in review, featuring data on assigned vulnerabilities from the year 2022.
  • GCP Goat is a vulnerable cloud infrastructure tool featuring the latest released OWASP Top 10 web application security risks and other misconfiguration, designed to help test developers test their code in a cloud environment.
  • Another cloud-based tool, PEACH is a tenant isolation framework for cloud applications to help protect against malicious actors accessing “data belonging to other customers”, for example, in cases such as ChaosDBExtraReplica, and AttachMe.
  • Open source tool sbom-utility has been released, an API platform for validating, querying, updating, and managing standardized SBOMs.
  • Exact Realty has released this blog post explaining how developers can defend against introducing cross-site request forgery (CSRF) vulnerabilities into websites.
  • Google’s Chromium project now supports the use of third-party Rust libraries from C++, and will include Rust code in the Chrome binary “within the next year”.

Copyright 2021 Associated Press. All rights reserved.

Source: https://portswigger.net/daily-swig/deserialized-web-security-roundup-slack-okta-security-breaches-lax-us-government-passwords-report-and-more-nbsp

Click to comment

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version