Web Security Training

Navigating the web security landscape

Navigating the web security landscape


The websec digest #14

The websec digest gives you a filtered overview of noteworthy incidents, interesting technologies and upcoming events. This edition's headline is another bank technology-based bank heist. This time, the attackers abused weaknesses in the phone system to intercept SMS messages, allowing them to bypass 2FA.

The phone system the whole world depends on has a couple of security flaws, and most of them have been known for quite a while. Now, these weaknesses have been exploited in a major attack, where the victim’s bank accounts were drained.

In the attack, the attackers abused the SS7 protocol to redirect text messages from the banks, allowing them to bypass additional authentication factors to authorize transactions. This is precisely why NIST has advised against using SMS-based systems as a second factor of authentication.

Of course, it’s always easy to say “I told you so” in hindsight, but nonetheless, this attack is something to take seriously.

Last week, there was a lot of chatter about a phishing attack abusing Google’s OAuth 2.0 mechanism. The phishing attack consisted of a mail about someone sharing a Google Docs document with you, and it looked legitimate. The link pointed towards Google’s OAuth 2.0 authorization page, and the app listed there looked exactly like Google Docs. Except it wasn’t.

It was a rogue application, using the same name and logo, and it tricked users into giving it a lot of permissions to their account. Fortunately, Google has blocked the attack from happening, revoked all granted permissions and removed the pages associated with it. Maybe it’s not a bad idea to show a bit more information to the user when granting permissions using an OAuth 2.0 flow.

If you’ve been following security news, you probably heard about haveibeenpwnd.com, the site keeping track of public data breaches, so you can see when your data has been compromised. This week, it was announced that over 1 billion records from two lists that are currently for sale, are being loaded into the database. This will be some bad news for a lot of people.

Do one security thing today. Go to haveibeenpwnd.com, and subscribe yourself to the notifications, so you’ll at least know when your data has been leaked.

The past two weeks have not been a good week for CMS platforms, especially in terms of XSS. Multiple XSS vulnerabilities have been discovered in Joomla! core, allowing the bypassing of both server-side sanitization filters and client-side protection mechanisms. A few days before, someone discovered a reflected XSS vulnerability in a popular WorPress plugin (WP Statistics).

If you’re running this software, it’s time to update as soon as possible!

To end the digest with a positive note, the Google Chrome team has announced additional actions to be taken against insecure HTTP sites. Starting from October, any HTTP page that requests user input will be marked as insecure. Similarly, visiting an HTTP page in incognito mode will explicitly trigger the insecure flag in the UI.

Upcoming Events

I’ve just completed a couple of trainings on web security, including a two-day training on building secure Angular applications. If you’re looking for something similar for your company, don’t hesitate to get in touch.

In the coming month, you can catch me speaking at the following events:

As usual, you can find the full list of events on my speaking page.


Comments & Discussion