Cyber Security

Deserialized web security roundup: Twitter 2FA backlash, GoDaddy suffers years-long attack campaign, and XSS Hunter adds e2e encryption

Twitter faced further criticism this week when Elon Musk’s social networking platform announced SMS-based 2FA will only be available to paying customers going forward.

The social media site historically enabled two-factor authentication (2FA) to all users, providing they connected their mobile phone number to their account.

This week, however, users were warned that this security option would no longer be available to users who did not pay for verification.

Of course, this sparked huge backlash online, particularly among the majority of those with non-paid accounts.

It’s worth noting, though, that users can still use 2FA with third-party authentication apps such as Google Authenticate.

Elsewhere, web hosting provider GoDaddy announced it had fallen victim to a cyber-attack… and this was part of a campaign lasting almost three years.

The company announced in a statement that it had evidence of an intrusion that took place back in December 2022, when “a small number of customers” complained about their websites being intermittently redirected.

In a filing to the US Securities and Exchange Commission (PDF), the American domain registrar also divulged that it had evidence this attack was linked to an earlier incident in March 2020, when an attacker “compromised the hosting login credentials of approximately 28,000 hosting customers to their hosting accounts as well as the login credentials of a small number of our personnel”.

GoDaddy says it believes these attacks, together with a 2021 compromise of its hosted WordPress service, “are part of a multi-year campaign by a sophisticated threat actor group”.

Finally, the maintainers of newly resurfaced tool XSS Hunter announced the introduction of optional end-to-end (e2e) encryption to its fork after a backlash from privacy-conscious users.

Truffle Security, which launched a new fork of the open source utility after its deprecation by original creator Matthew Bryant, were criticized earlier this month for inspecting potentially sensitive data generated by users after they shared anonymized statistics about the vulnerabilities unearthed.

As reported by The Daily Swig, users have now been reassured that e2e encryption has been added to the fork in a statement given by Truffle Security’s founder.

We also recently reported that Belgium has become the first European country to adopt a national, comprehensive safe harbor framework for ethical hackers, and how Frans Rosén topped PortSwigger’s top 10 web hacking techniques of 2022 with his research ‘Account hijacking using dirty dancing in sign-in OAuth-flows’.

You can catch up with the full range of our recent news coverage by visiting The Daily Swig’s homepage.


Here are some more web security stories and other cybersecurity news that caught our attention in the last fortnight:

Advertisement. Scroll to continue reading.

Web vulnerabilities

  • FortiNAC / Critical / Unauthenticated RCE / An external control of file name or path in certain Fortinet FortiNAC versions allow attackers to execute unauthorized code / Patched and disclosed February 16
  • Node.js / Medium / CLRF injection / The fetch API in Node.js did not prevent CRLF injection in the host header potentially allowing attacks such as HTTP response splitting and HTTP header injection / Patched and disclosed February 16
  • Node.js / High / Permissions policies bypass / Non-authorized modules potentially accessible via process.mainModule.require() / Patched and disclosed February 16
  • Kardex MLOG / Severity TBC / RCE / SSTI to RCE due to sanitization issue on industrial web interface / Patched January 24, disclosed February 7
  • Apache Kerby / LDAP injection / Vulnerability exists in LdapIdentityBackend / Patched and disclosed February 20

Research and attack techniques

A security researcher has praised the merits of hacking on Apple’s bug bounty program

Bug bounty/vulnerability disclosure

  • A write-up from security researcher Omar Hashem, who fully took over a HubSpot account, details his failures on the path to exploitation. Research is inherently about trial and error, yet few write ups shared online talk about the things that didn’t work.
  • A researcher calling themselves ‘infiltrateops’ shared details on how they were awarded a decent payout from Apple and lauded the response from its security team.
  • Google released a review of all of the bugs found in its vulnerability reward program in 2022, revealing it fixed more than 2,900 issues in that year alone.

New open source security tools

  • Legitify, a tool for detecting and remediating security issues across GitHub and GitLab assets, added support for GPT-based misconfiguration scanning.
  • GuardDog, a tool used to identify malicious Python packages using Semgrep and package metadata analysis, has been updated to provide npm support, new heuristics, and easier CI integration.

*PortSwigger is the parent company of The Daily Swig.

Copyright 2021 Associated Press. All rights reserved.

Source: https://portswigger.net/daily-swig/deserialized-web-security-roundup-twitter-2fa-backlash-godaddy-suffers-years-long-attack-campaign-and-xss-hunter-adds-e2e-encryption

Click to comment

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version