Web Security Training

Navigating the web security landscape

Navigating the web security landscape


The websec digest #6

The websec digest gives you a filtered overview of noteworthy incidents, interesting technologies and upcoming events. In this edition, the headline goes to the nifty JavaScript attack that used steganography to hide malware code in images, to bypass scanning software.

The biggest story of this edition is the advertisement malware attack that has hit millions of users. The attack used legitimate-looking JavaScript, combined with legitimate-looking images. However, the JavaScript code actually extracted information from the image’s alpha channel, created code from that information, and executed it. Through these steganographic mechanisms, the malware succeeded in bypassing filters that scan advertisements for malware, thereby successfully targeting millions of users.

Last week, it was announced that DailyMotion, one of the bigger video-sharing platforms was compromised, and lost information on about 85 million accounts. Of these accounts, about 20% had password information associated with it, which was fortunately stored with the secure BCrypt function.

Right after the release of the previous digest, stories started appearing of ISP routers getting compromised by botnet software. A modified version of the Mirai worm succeeded in compromising nearly a million routers in Germany, and the attack hit the UK as well. The culprit? The wide open management interface running on port 7547 that could easily be used to take control of the device.

Last week, a reader sent me an interesting article about changes when using OAuth 2.0 with Google in embedded browsing contexts. Many applications use their embedded browsing contexts to run their own authentication flow against identity providers such as Google, which neutralizes with the single sign-on advantage. Instead, Google will require the use of a centralized OAuth library, such as Google Sign-in or AppAuth.

And as usual, we end this edition with some positive news, as a few more steps towards an encrypted web have been taken. Two weeks ago, The Guardian released a report about how they made the move towards HTTPS. The essence of that story is twofold: gradually upgrade parts of your site to HTTPS, and use Content Security Policy to detect mixed content. A few days later, Sourceforge announced HTTPS support for all their projects as well, albeit only if you enable the option in the management interface.

Upcoming Events

As the year is coming to an end, so are the scheduled events for 2016. However, next year, there will be plenty of talks you can attend:

  • On February 23rd, I’ll be speaking about Frontend Security at the JSBE meetup (23/02/2017)
  • In March, I will be participating in the first Devoxx US, where I will talk about Spring Security Headers

As usual, you can find the full list of events on my speaking page.

Comments & Discussion