The websec digest #17
Everybody is familiar with common password reset processes, such as security questions or SMS codes. Researchers have found a clever man-in-the-middle attack against these schemes, by providing a seemingly correct context. The paper is easy to understand, so I definitely encourage you to take a closer look at what’s happening.
The proposed defenses are tying the security questions or SMS code to a specific application. This helps users to identify the correct context, and detect that something fishy is going on. Of course, the best defense are origin-bound authentication tokens, such as the U2F Yubikeys.
A common way to bypass authorization systems are directly using object references to access information. If an application fails to explicitly check object ownership before granting access, it’s in a world of trouble. This problem seems so simple, that it’s often dismissed as a non-issue. But don’t be fooled by its simplicity. Tumblr recently had such an insecure direct object reference, allowing someone to edit and inject content into 24 million domains.
Data breaches are ugly, but if you handle them correctly, your customers will likely forgive you and keep trusting you. A good example of how not to handle a data breach comes from a UK car insurance company. After rumors about a serious data breach started circulating, the company told users their data was secure. A week later, it turns out that information of more than 100,000 customers has been stolen, along with partial credit card information. None of the customers was informed about the breach.
The next story falls within the same domain. A South Korean hosting provider agreed to pay $1 million after they got hit by ransomware. Definitely a worrisome trend that may upset the whole ecosystem of ransomware. For more information, take a look at Jeremiah Grossman’s entertaining talk on the history of the ransom economy.
The positive note to conclude this newsletter comes from CA-land this time. WoSign, the Chinese CA that was distrusted by Chrome and Firefox for misconduct, is working hard to get their business in order. They have fixed the problems in their infrastructure, and just passed their security audit. Let this story be in an inspiration to do the right thing from day 1!
Summer has arrived, so the conference scene is quieting down for a couple of months. But that doesn’t mean that nothing is happening:
- I am working hard on a free online course on web security, which should give every developer a head start on security. The course will be released in October, but you can already sign up!
- In December, I’ll be teaching a one-day workshop on Angular security at the NG-BE conference. Tickets are on sale, so don’t wait too long to book your seat!
As usual, you can find the full list of events on my speaking page.
Philippe De Ryck