Web Security Training

Navigating the web security landscape

Navigating the web security landscape


The websec digest #18

The websec digest gives you a brief overview of significant incidents, technologies, and upcoming events. This edition's headline features a severe vulnerability in the Cisco WebEx browser extension. You must take 5 minutes out of your day to address these issues ASAP.

Tavis Ormandy reported on another severe vulnerability in Cisco’s WebEx browser extensions. The vulnerability affects Chrome and Firefox extensions on Windows.

By abusing the vulnerability, an unauthenticated, remote attacker can execute arbitrary code. The injected code runs on your local system with the privileges of the browser. Patches are available, so apply them ASAP.

You should also consider installing WebEx in a separate Chrome profile. Doing so only takes a few minutes to setup. It is a user-friendly way to ensure that WebEx is only running when you need it.

In a previous digest, we covered an attack against SMS-based multi-factor authentication. In this particular attack, the adversary took control of the victim’s phone number. This attack is one example, but more severe attacks exist as well.

The extra security of SMS-based multi-factor authentication is limited. That’s why Google is changing its multi-factor authentication scheme. They are moving away from SMS codes in favor of an app-based approach. In the new approach, a user authorizes an authentication with a prompt on his smartphone. A usability improvement, and a security improvement!

The next story stays in the same space. Did you know that MySpace, the social network that once ruled the world, is still around? Of course, the MySpace users from back in the day have long forgotten their passwords. And they are probably no longer using that email address from back then either.

This combination poses a challenge if you want to allow your users to recover their account. MySpace tried to work around these limitations but fumbled the ball. Their account recovery procedure only asks your full name, username, and date of birth. As you can imagine, this is all public information. So anyone can recover arbitrary accounts.

If you were an active MySpace user, you might have some content on there that you want to keep private (or forget about). So reset your account now, before someone else does.

Remember WoSign and StartCom, the CAs that misbehaved a couple of months ago? Well, the company is trying to make up for it, but too late to stop further penalties by Chrome.

Chrome 61 will treat all WoSign / StartCom certificates as untrusted. This measure includes older certificates, issued before the discovery of the CAs misconduct. If you’re still using one of these certificates, it’s time to upgrade to Let’s Encrypt!

And as always, we end on a positive note. Let’s Encrypt has announced upcoming support for wildcard certificates. As of January 2018, you can request domain-validated wildcard certificates for your domains.

If you have practical questions or want to chime in with your experiences, you can do so on the community forums.

Upcoming Events

Summer has arrived, so the conference scene is quieting down for a couple of months. But that doesn’t mean that nothing is happening:

  • On November 20-21, you can attend a new edition of the Web Security Essentials training course. The course will show you where your applications are vulnerable, how you can protect them, and which best practices you should be applying today. Attending the course also means you get a free set of YubiKeys. More information and registration.
  • I am also working hard on a free online course on the fundamentals of web security, which should give every developer a head start on security. The course will be released in October, but you can already sign up!

As usual, you can find the full list of events on my speaking page.


Comments & Discussion