The websec digest #7
This is the last websec digest of 2016, thanks for reading! We will kick off 2017 with the first digest somewhere mid January, where we will catch up on everything that happened during the holiday period. If you’re wondering about our other activities, check out our Review of 2016
In the very first websec digest, we already wrote about a massive data breach at Yahoo!, where information on half a billion accounts was stolen. This time, it’s even worse, as data from more than 1 billion accounts seems to be stolen in 2013. And the size of the breach is not the only shocking fact. It turned out that Yahoo! used MD5 to store passwords, and depended on a session management technique where cookies could be forged by an attacker. These two screwups are likely only an indicator of the security culture at Yahoo!. To top the story off, the database of 1 billion accounts is for sale for only $300,000 …
The second story is another illustration of security incompetence (a close runner-up for the headline), this time by router manufacturer NETGEAR. Their web interface is vulnerable to straight up command injection attacks, even without having to authenticate. The vulnerability affects series of NETGEAR devices, and it took a while before a fix became available. The situation was so severe that advisories to turn off your NETGEAR router have been issued.
And in related news, details on a malvertising campaign that explicitly targets your home router have been uncovered. The campaign uses WebRTC technologies to determine your local IP address, allowing it to reliably guess the IP address of your router.
Another story from the advertising world is about a Russian operation to generate fraudulent advertisements activity. While this may seem like a known problem, it’s again the scale that makes it newsworthy. The operation generated approximately 3 to 5 million dollars per day! The operation, named MethBot, cleverly impersonated the behavior of real users, which included the use of a real browser, taking business and night hours into account, etc.
Fortunately, we can conclude the digest with a word of positive news. Microsoft has announced the next step for improving Edge, which is favoring HTML5 over Flash content, and making Flash click-to-run. While this move will improve performance and battery life, it is definitely a security improvement as well. Many Flash files can be exploited to get malicious script running inside the page’s context, and the Flash player is often used to launch attacks against the user’s machine.
2016 was a busy year for our Web Security Training activities, as you can read in our Review of 2016. And 2017 is already aspiring to be even better:
- On February 23rd, I’ll be speaking about Frontend Security at the JSBE meetup (23/02/2017)
- From February 27th till March 3rd, I will be at SecAppDev 2017, where I will be taking care of the practical details, and talk about various Web Security topics
- In March, I will be participating in the first Devoxx US, where I will talk about Spring Security Headers
- Right after Devoxx US, I am giving a workshop on Secure OAuth 2.0 at EmberConf, together with the awesome Balint Erdi.
As usual, you can find the full list of events on my speaking page.
Philippe De Ryck