The websec digest #11
Google caused a lot of headlines with just one single blog post titled “Announcing the first SHA1 collision”. In a nutshell, researchers at Google succeeded in creating two PDF documents with differing contents, but with the same SHA1 checksum. This essentially means that it has become impossible to ensure the integrity of a file with SHA1, since the attacker can generate a malicious file with the same checksum.
So, what does this really mean? SHA1 has been deprecated for more than 5 years, meaning that the stronger SHA2 or SHA3 algorithms should already be in use. Unfortunately, many vendors and products still depend on it, so the theoretical vulnerabilities that were already present have now become more practical. As a sidenote, keep in mind that the attack requires specific conditions and a lot of computing power.
Nonetheless, if you still depend on SHA1, start fixing that today.
The modern web is a complex ecosystem, and the security vulnerability that Cloudflare suffered from is a perfect illustration of this. Cloudflare offers various kinds of security services, by tunneling website traffic through their networks. Examples of these services are DDoS protection, HTTPS, etc. Some of these features requires the capability to rewrite HTML on the fly, and that’s where things went wrong …
It turns out that in very rare occasions (1 in 3 million requests), a parser bug would be triggered, causing the insertion of random chunks of memory into the pages. This resulted in the leakage of private information, POST bodies, cookies, etc. And the worst part is that some of these results were actually cached by search engines.
It also needs to be said that Cloudflare took immediate action upon discovery of the problem, and was able to fix the issue and its outfall in less than a day. Even though it’s unlikely that the bug was actively exploited, it may still be wise to change your credentials on critical services that are running on Cloudflare.
Last week, an outage at Amazon AWS took down a major part of the Internet. You probably noticed this in various different ways. I surely did, as I was using both Buffer and MailChimp while running the SecAppDev course.
The true reason for the outage was a simple human error, so this incident is not really related to security. But the massive scale of the consequences begs for a moment of reflection, especially on security. What if AWS suffers from a security incident in the future? How much of the Internet can be affected by hacking a single target? How accessible is data stored on AWS services?
Surely, these questions make you feel a bit uncomformtable, but they definitely deserve some thought and discussion.
While everybody is talking about these latest attacks, it is easy to lose sight of traditional security problems plaguing the web. It turns out that the popular WordPress plugin NextGEN Gallery, with more than 1 million installs, has a severe SQL injection flaw. The flaw gives an unauthenticated user the capability to extract data from the database. The full details on the vulnerability are available here.
And to conclude with a note of positive news, Google announced that they will be increasing the security of their browser on macOS. The upcoming Chrome release will include the Settings API, which will trigger warnings when an unwanted change in the user’s settings is detected. This should make certain types of attacks more difficult, and prevent users from unwillingly installing malicious software.
What is your take on this news? What stories do you consider newsworthy? Let me know in the comments below.
The highlight for this digest is the Web Security Essentials course:
- On April 24 and 25, you can attend the Web Security Essentials training course, which will show you where your applications are vulnerable, how you can protect them, and which best practices you should be applying today. Attending the course also means you get a free set of YubiKeys. More information and registration.
As usual, you can find the full list of events on my speaking page.
Philippe De Ryck