Tag: Failure | SpinSafe

Failure to verify OAuth tokens enables account takeover on websites

October 27, 2023/in Internet Security

If that site is an e-commerce platform like Bukalapak, the user might have billing and payment information stored in their profile. If it’s a service like Grammarly, the user might have sensitive documents and so on.

Other variations and implementation oversights

OAuth is a complex standard and allows for various implementation variants. For example, instead of using redirect URLs between the site and the identity provider, the site might choose to use the PostMessage feature, but the attack is still possible in such an implementation if the token is not validated.

Passing tokens via URLs is potentially vulnerable to man-in-the-middle attacks if an attacker has the ability to passively monitor traffic and just extract the OAuth token from the URL they observe. Because of this, OAuth also provides a more secure approach where the identity provider issues a one-time code instead of an access token, then the website takes that code together with an application secret only itself and Facebook knows and exchanges the code into a token using the Facebook API.

Grammarly actually used this more secure code-based approach when the Salt Security team tested its OAuth implementation. However, the researchers saw the Grammarly OAuth script took requests with the entry code in the request and wondered if it may include a function that takes tokens as well. Therefore, they tried making requests by replacing code with different words like token, facebookToken, FBtoken and different variations, until they found that access_token worked and was accepted.

In other words, they managed to downgrade Grammarly’s implementation to the more secure variant because the code to handle tokens directly instead of code was still left in the script as an option. And it turned out, there was no token validation step to check for the app ID.

The Salt Security researchers found other OAuth implementation flaws in major websites in the past, including some that could have given attackers access to Booking.com accounts. “It’s extremely important to make sure your OAuth implementation is secure,” the researchers said. “The fix is just one line of code away…. When OAuth is used to…

Source…

Owo Attack: Owo Monarch Laments Failure Of Security Agencies to … – YouTube

June 5, 2023/in Mobile Security

Owo Attack: Owo Monarch Laments Failure Of Security Agencies to … YouTube

Source…

Engineer’s Failure to Update Plex Software Led to Massive Data Breach

March 7, 2023/in Computer Security

Mar 07, 2023Ravie LakshmananPassword Security / Software Update

The massive breach at LastPass was the result of one of its engineers failing to update Plex on their home computer, in what’s a sobering reminder of the dangers of failing to keep software up-to-date.

The embattled password management service last week revealed how unidentified actors leveraged information stolen from an earlier incident that took place prior to August 12, 2022, along with details “available from a third-party data breach and a vulnerability in a third-party media software package to launch a coordinated second attack” between August and October 2022.

The intrusion ultimately enabled the adversary to steal partially encrypted password vault data and customer information.

The second attack specifically singled out one of the four DevOps engineers, targeting their home computer with a keylogger malware to obtain the credentials and breach the cloud storage environment.

This, in turn, is said to have been made possible by exploiting a nearly three-year-old now-patched flaw in Plex to achieve code execution on the engineer’s computer, the streaming media service told The Hacker News in a statement.

The vulnerability in question is CVE-2020-5741 (CVSS score: 7.2), a deserialization flaw impacting Plex Media Server on Windows that allows a remote, authenticated attacker to execute arbitrary Python code in the context of the current operating system user.

“This issue allowed an attacker with access to the server administrator’s Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it,” Plex said in an advisory released at the time.

Discover the Latest Malware Evasion Tactics and Prevention Strategies

Ready to bust the 9 most dangerous myths about file-based attacks? Join our upcoming webinar and become a hero in the fight against patient zero infections and zero-day security events!

RESERVE YOUR SEAT

The shortcoming, which was discovered and reported to Plex by Tenable in March 2020, was addressed by Plex in version 1.19.3.2764 released on May 7, 2020. The current version of Plex Media Server is 1.31.1.6733.

“Unfortunately, the LastPass employee…

Source…

The True Cause of Cybersecurity Failure and How to Fix It

April 5, 2022/in Computer Security

Veteran software developer David A. Kruger offered some thoughts on computer security recently at Expensivity and we appreciate the opportunity to republish them here. He starts with “Root Cause Analysis 101”

The classic line “I have a bad feeling about this” is repeated in every Star Wars movie. It’s become a meme for that uneasy feeling that as bad as things are now, they are about to get much worse. That’s an accurate portrayal of how many of us feel about cybersecurity. Our bad feeling has a sound empirical basis. Yearly cybersecurity losses and loss rates continually increase and never decrease despite annual US cybersecurity expenditures in the tens of billions of dollars and tens of millions of skilled cybersecurity man-hours. Cybersecurity’s record of continuously increasing failure should prompt thoughtful observers to ask questions like “Why are cybersecurity losses going up? Why isn’t cybersecurity technology reducing them? Are there things we don’t understand or are overlooking?”

That’s easy to answer: Of course, there are! After spending this much time, money, and brainpower on cybersecurity without managing to decrease losses, much less eliminating them, it’s painfully obvious something isn’t right.

This article explains what we get wrong about cybersecurity, how and why we get it wrong, and how to fix it. Fair warning: it’s a long and bumpy road. There a healthy dose of counterintuitive assertions, cybersecurity heresy, and toes stepped on, but at roads end you’ll know what the true cause of cybersecurity failure is and how to fix it.

Part One – Cybersecurity Technology

The Heart of the Matter

When confronted with a chronic problem, we human beings are prone to err by trying solutions without first asking the right questions. We tend to ask, “How do we stop this now?” and fail to ask, “What’s causing this?” Then we are shocked when our fixes don’t last. This tendency is so common that safety engineers developed a formal analytical method called a root cause analysis to prevent this error. Root cause analysis is designed to find unidentified causes of recurring…

Source…

Tag Archive for: Failure

Other variations and implementation oversights

Part One – Cybersecurity Technology

The Heart of the Matter