At least a dozen organizations with domain names at domain registrar Squarespace saw their websites hijacked last week. Squarespace bought all assets of Google Domains a year ago, but many customers still haven’t set up their new accounts. Experts say malicious hackers learned they could commandeer any migrated Squarespace accounts that hadn’t yet been registered, merely by supplying an email address tied to an existing domain.

From the story:

"...an analysis released by security experts at Metamask and Paradigm finds the most likely explanation for what happened is that Squarespace assumed all users migrating from Google Domains would select the social login options — such “Continue with Google” or “Continue with Apple” — as opposed to the “Continue with email” choice.

Taylor Monahan, lead product manager at Metamask, said Squarespace never accounted for the possibility that a threat actor might sign up for an account using an email associated with a recently-migrated domain before the legitimate email holder created the account themselves.

“Thus nothing actually stops them from trying to login with an email,” Monahan told KrebsOnSecurity. “And since there’s no password on the account, it just shoots them to the ‘create password for your new account’ flow. And since the account is half-initialized on the backend, they now have access to the domain in question.”

https://krebsonsecurity.com/2024/07/researchers-weak-security-defaults-enabled-squarespace-domains-hijacks/

It has been a while since I’ve written about Avast, so today I give you “How insecure is Avast Secure Browser?”

https://palant.info/2024/07/15/how-insecure-is-avast-secure-browser/

Note: This isn’t a vulnerability disclosure, merely an overview of problematic design decisions.

TL;DR from the article: I wouldn’t run Avast Secure Browser on any real operating system, only inside a virtual machine containing no data whatsoever.

Some highlights:

• Eleven pre-installed browser extensions but only two visible to users.
• Two extensions unnecessarily relax Content-Security-Policy protection.
• One of these two extensions also requesting all privileges possible, despite not actually using them.
• Two extensions accept messages from any other extension and any Avast website, the latter without enforcing HTTPS connections.
• One of these extensions, Privacy Guard (sic!), will expose information about your browser’s tabs via that messaging interface and provide updates as you browse the web.
• The “onboarding” experience is designed as an extremely flexible way to nag you into using products that benefit Avast financially.
• To make this “onboarding” work, the browser exposes internal APIs to a number of Avast domains that a huge number of third parties can put content on. Not only can each of these third parties abuse this access, a single XSS vulnerability will extend the access to any website on the internet (no effective CSP protection).

Enjoy!

#avast #avg #avira #ccleaner #securebrowser #infosec

A Brief Retrospective on SPARC Register Windows

https://danielmangum.com/posts/retrospective-sparc-register-windows/

#risc #sparc

[RSS] Linksys Velop Routers Caught Sending WiFi Creds in the Clear

https://hackaday.com/2024/07/15/linksys-velop-routers-caught-sending-wifi-creds-in-the-clear/

We love Open Source contributors.

If you are a significant contributor to an Open Source project, DM us, and we will give you a full briefings pass to BlackHat USA (absolutely free).

__
* Tickets handed out totally at our discretion;
** We only have a few tickets left;

fq 0.12.0 released 🥳 nothing fancy, REPL and jpeg fixes otherwise mostly update of dependencies.

https://github.com/wader/fq/releases/tag/v0.12.0

#fq #jq

[oss-security] backtrace_symbols() misuse by Ceph and its supposedly-safe use

Interesting thread on safe crash handling in the light of signal handler races

https://www.openwall.com/lists/oss-security/2024/07/12/1

[RSS] A 64-bit x86 Bootloader from Scratch

https://hackaday.com/2024/07/14/a-64-bit-x86-bootloader-from-scratch/

[RSS] [Internet Bug Bounty] high - important: Apache HTTP Server on WIndows UNC SSRF (CVE-2024-38472) (4920.00USD)

https://hackerone.com/reports/2585385

[RSS] [Internet Bug Bounty] high - important: Apache HTTP Server weakness with encoded question marks in backreferences (CVE-2024-38474) (4920.00USD)

https://hackerone.com/reports/2585381

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI.

[RSS] Resurrecting a dead Dune RTS game

https://wheybags.com/blog/emperor.html

Spent the last four days coordinating incident response for the Squarespace domain hijackings with @tay and @AndrewMohawk. Now that it seems to be resolved, we wrote a little postmortem/retrospective

https://securityalliance.notion.site/A-Squarespace-Retrospective-or-How-to-Coordinate-an-Industry-Wide-Incident-Response-fead693b66c14543a48283d85aec19ad

Starting from v0.10 (the next version), HyperDbg uses @keystone_engine as its assembler. ❤️

Thanks to our new team member @AbbasMasoumiG for adding it.

The following commands are added to assemble virtual and physical memory:

- https://docs.hyperdbg.org/commands/debugging-commands/a

- https://docs.hyperdbg.org/commands/extension-commands/a

Clever & fun technique to dump #Windows LSA secrets bypassing #EDR by @sensepost

Dumping LSA secrets: a story about task decorrelation

https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/

I almost felt guilty finding out the guy accidentally gave me two of these "original palestinian" scarves instead of one

[RSS] Announcing AES-GEM (AES with Galois Extended Mode)

https://blog.trailofbits.com/2024/07/12/announcing-aes-gem-aes-with-galois-extended-mode/

[RSS] MongoDB NoSQL Injection with Aggregation Pipelines

https://soroush.me/blog/2024/06/mongodb-nosql-injection-with-aggregation-pipelines/

[RSS] SSD Advisory – SonicWall SMA100 Stored XSS to RCE

https://ssd-disclosure.com/ssd-advisory-sonicwall-sma100-stored-xss-to-rce/

Introduction to the Wild West of Proof of Concept #Exploit Code (#PoC) aka SSHing the Masses

https://santandersecurityresearch.github.io/blog/sshing_the_masses.html