The websec digest #14

The phone system the whole world depends on has a couple of security flaws, and most of them have been known for quite a while. Now, these weaknesses have been exploited in a major attack, where the victim’s bank accounts were drained.

In the attack, the attackers abused the SS7 protocol to redirect text messages from the banks, allowing them to bypass additional authentication factors to authorize transactions. This is precisely why NIST has advised against using SMS-based systems as a second factor of authentication.

Of course, it’s always easy to say “I told you so” in hindsight, but nonetheless, this attack is something to take seriously.

Last week, there was a lot of chatter about a phishing attack abusing Google’s OAuth 2.0 mechanism. The phishing attack consisted of a mail about someone sharing a Google Docs document with you, and it looked legitimate. The link pointed towards Google’s OAuth 2.0 authorization page, and the app listed there looked exactly like Google Docs. Except it wasn’t.

It was a rogue application, using the same name and logo, and it tricked users into giving it a lot of permissions to their account. Fortunately, Google has blocked the attack from happening, revoked all granted permissions and removed the pages associated with it. Maybe it’s not a bad idea to show a bit more information to the user when granting permissions using an OAuth 2.0 flow.

If you’ve been following security news, you probably heard about haveibeenpwnd.com, the site keeping track of public data breaches, so you can see when your data has been compromised. This week, it was announced that over 1 billion records from two lists that are currently for sale, are being loaded into the database. This will be some bad news for a lot of people.

Do one security thing today. Go to haveibeenpwnd.com, and subscribe yourself to the notifications, so you’ll at least know when your data has been leaked.

The past two weeks have not been a good week for CMS platforms, especially in terms of XSS. Multiple XSS vulnerabilities have been discovered in Joomla! core, allowing the bypassing of both server-side sanitization filters and client-side protection mechanisms. A few days before, someone discovered a reflected XSS vulnerability in a popular WorPress plugin (WP Statistics).

If you’re running this software, it’s time to update as soon as possible!

To end the digest with a positive note, the Google Chrome team has announced additional actions to be taken against insecure HTTP sites. Starting from October, any HTTP page that requests user input will be marked as insecure. Similarly, visiting an HTTP page in incognito mode will explicitly trigger the insecure flag in the UI.

Upcoming Events

I’ve just completed a couple of trainings on web security, including a two-day training on building secure Angular applications. If you’re looking for something similar for your company, don’t hesitate to get in touch.

In the coming month, you can catch me speaking at the following events:

• I’ll be talking on security in Angular applications, and more specifically on session management, at AppSec EU in Ireland.
• On June 22nd, I’ll be giving a similar talk at Voxxed Days Luxembourg

As usual, you can find the full list of events on my speaking page.