Categories: News
Tags: lego

Tags:  bricklink

Tags:  cross site scripting

Tags:  bug

Tags:  flaw

We take a look at how Lego's Bricklink service was potentially vulnerable to certain types of XSS attack.



(Read more...)




The post Lego's Bricklink steps on cross site scripting blocks appeared first on Malwarebytes Labs.

If you build it, they will come. In Lego’s case, they built it and certain security flaws meant someone could have taken it all apart.

PCMag reports that flaws in Lego’s Bricklink service meant that it was open to potential data leakage or even account hijacking. Those flaws, now addressed, potentially impacted users of the Bricklink portal. If you’re unfamiliar with the site, it’s the biggest official marketplace for Lego bricks in the world, with a million or so registered users. That’s a whole lot of Lego.

If there’s ever been an incredibly obscure or hard to find piece you needed for that cool Lego project you’ve been working on, there’s a good chance you’d have found what you were looking for.

What researchers found while looking at user input fields was a way to build out some cross-site scripting (XSS) issues. XSS is a type of injection attack, where vulnerable web applications are exploited in ways which allows for malicious script to be injected into the page. Shall we take a look?

**Building a path to sanitation**

According to Salt Security, the web server wasn’t sanitising user input correctly which led to code injection in the rendered web page. They were able to inject and execute JavaScript code as a result.

From here, they were able to chain the above technique to a payload which would read code on the page containing the session ID value and send it to their own server. The unprotected session ID tagged onto the XSS could result in a full account takeover, along with access to data related to the account. This would include shipping address, orders, message history, and email address.  As the researchers point out, this is a bit limiting as it requires some level of victim interaction to pull off successfully.

**When your “most wanted” is an external entity attack**

The second issue was something which would require no victim interaction to achieve. BrickLink allows users to populate a wanted list page. Desperate for that rare leg from the 1970s, or a piece of a treasure island from the 80s? No problem, upload the data as Extensible Markup Language (an XML file) and take it from there.

Once you hit the continue button, your parts magically appear in readable format, complete with an image of the desired item, and onto your wanted list it goes (think “Amazon wish list”, but for Lego).

The researchers were able to make use of an XML external entity (XXE) attack, which can interfere with regular processing of XML data. Their testing allowed them to pull up the contents of the /etc/passwd file, and could have resulted in Server Side Request Forgery attacks (SSRF). SSRF is very bad, because it can give attackers the ability to fool a server into granting access to places which would not otherwise be available. SSRF issues are unfortunately common, and need to be acted upon quickly.

**Disclosure and response**

These vulnerabilities were discovered on October 18, with technical details disclosed on October 23. Although the Lego security team confirmed the disclosure on the 25th, they went on to say that internal policy is not to comment as to whether specific issues have been fixed. For the Salt Security team’s part, they have confirmed through their own testing on November 10 that the issues appear to have been addressed.

Your bricks, for now, remain standing.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Lego's Bricklink steps on cross site scripting blocks

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

What secrets might be released with a quick peck under the combination lock? For that we need a cybersecurity-related caption. Here are four convenient ways to submit your ideas before the Jan. 11, 2023, deadline.

*   Email _\[email protected\]_ with the subject line "Dark Reading December Toon."
*   Via social media: Twitter, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address_._)

**Last Month's Winner**

We had many excellent caption contenders for last month's "Fall Cleanup" contest. (Thanks to all who participated.) But since we had to pick a favorite (below), congratulations go to Dark Reading reader "Rita." A $25 gift card is on the way.

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: Kiss and Tell

The open source container tool is quite popular among developers — and threat actors. Here are a few ways DevOps teams can take control.

_Editor's note: For more about the kinds of vulnerabilities Kubernetes presents and how to address them, read our_ _companion article_ _in The Edge._

Since its initial release in 2014, Kubernetes (aka K8s) has become the standard open source container tool for managing software applications. Kubernetes is cost-effective, offers autoscaling, and can run on any infrastructure. Its benefits are why 85% of IT leaders consider Kubernetes "extremely important" to cloud-native strategies. On top of this, 61% of people use Kubernetes to manage their computer application deployment.

Funso Richard, information security officer at Ensemble, tells Dark Reading that "forward-thinking organizations understand the importance of leveraging containerized microservices to develop scalable and reliable applications as an essential digital transformation strategy" — and Kubernetes has become the leading tool used to achieve this strategy, he adds.

However, Kubernetes also comes with security challenges: It's susceptible to data theft, computational power theft, and denial-of-service (DoS) attacks. Kubernetes' public components (such as kubelets and API authentication) are widely exploited. And threat actors target infrastructure misconfiguration, unpatched software programs, and poor login credentials to gain unauthorized entry to Kubernetes. The vulnerabilities are also widespread. According to Red Hat's "2022 State of Kubernetes" security report, 93% of Kubernetes users experienced at least one security incident in the past 12 months.

As DevOps teams continue to grapple with rising Kubernetes security mishaps, here are a few ways to stay ahead of attackers and keep cloud-native environments secure.

**Securing Kubernetes With Tools**

Kubernetes' security vulnerability affects its efficiency. For instance, concerns over Kubernetes security caused developers to delay application rollouts in 2022, according to Red Hat. Although Kubernetes provides several benefits in application development and container orchestration, says Richard, inadequate security controls expose the open source tool to serious security concerns like misconfiguration, privilege abuse, data exfiltration, credential compromise, exploited public-facing components, and API vulnerabilities. To address these, several Kubernetes security tools have sprung up, including Kubescape, Kube-bench, Kubeaudit, Kube-hunter, and Kyverno.

Kubescape is an open source security platform from ARMO to protect Kubernetes clusters with capabilities such as risk analysis, security compliance, misconfiguration scanning, CI/CD security, RBAC visualizer, and vulnerabilities scanning. One thing that sets Kubescape apart is its library of robust capabilities that aligns with MITRE ATT&CK and NSA-CISA frameworks, says Richard.

"As I track Kubernetes security offerings — both commercial and non-commercial offerings — I haven't come across another offering with the same exact components as Kubescape," agrees Fernando Montenegro, senior principal analyst of cybersecurity infrastructure at Omdia.

Kubescape scans clusters, YAML files, and Helm charts for vulnerabilities either directly or via CI/CD integrations. The idea of scanning infrastructure-as-code (IaC) templates is well-popularized across the industry, says Montenegro. Most IaC scanning is done for cloud resources like Amazon's CloudFormation, HashiCorp's Terraform, and others, with Kubernetes scanning being a more specialized use case, he adds.

There are other offerings in the market — like Red Hat's StackRox (acquired in 2021), Tenable's Terrascan, and Palo Alto Networks' Checkov — offering similar capabilities as Kubernetes.

**Implementing Best Security Practices in Kubernetes**

Richard notes that adherence to cybersecurity fundamentals remains the bedrock of any security effort. While Kubescape is undoubtedly a powerful Kubernetes security tool, he believes developers can effectively secure their Kubernetes clusters by following the basics: implementing proper cluster configuration, pod security standards and policy enforcement, network segmentation, vulnerability scanning, periodic policy reviews, and security audits. "Containers should run with the least privileges and only necessary services, while role-based access controls should be in place to manage user access," Richard says.

While Montenegro says there are several Kubernetes best practices for DevOps and DevSecOps teams to follow, he notes that the following practices must be top on their priority list:

*   **Think about security early on:** Collaborate with your developers/architects to work through a proper threat modeling.
*   **Work with embedding security throughout the application lifecycle:** Security is an end-to-end process, from providing on-the-spot security advice and functionality for a developer working through the code in their development environment, through making sure security tests are part and parcel of the integration stages, then adding the necessary runtime protections to monitor workloads in production.
*   **Safely store Kubernetes secrets:** Implement features like proper namespace separation, use of role-based access control (RBAC).

As Kubernetes grows in adoption, IT teams can avoid security pitfalls by using tools like Kubescape and StackRox, as well as following the best security practices for securing their critical Kubernetes assets.

How to Run Kubernetes More Securely

Threat actors can take over victims' cloud accounts to steal data, or use them for command-and-control for phishing attacks, denial of service, or other cyberattacks.

Attackers can compromise a new feature in Amazon Web Services (AWS) to hijack cloud accounts' static public IP addresses and abuse them for various malicious purposes, researchers have found.

Threat actors can use the Amazon Virtual Private Cloud (VPC) Elastic IP (EIP) transfer feature to steal someone else's EIP and use it as their own command-and-control (C2), or to launch phishing campaigns that impersonate the victim, researchers from cloud incident response firm Mitiga revealed in a blog post on Dec. 20.

Attackers also can use the stolen EIP to attack a victim's own firewall-protected endpoints, or to serve as the original victim’s network endpoint to extend opportunities for data theft, the researchers said.

"The potential damage to the victim by hijacking an EIP and using it for malicious purposes can mean using the victim’s name, jeopardizing the victim’s other resources in other cloud providers/on-premises, and \[stealing the\] victim’s customers' information," Or Aspir, software engineer at Mitiga, wrote in the post.

Threat actors must already have permissions on an organization's AWS account to leverage the new attack vector, which the researchers call "a post-initial-compromise attack."

However, because the attack was not possible before the feature was added and is not yet listed in the MITRE ATT&CK Framework, organizations may be unaware that they are vulnerable to it, as it's not likely to be picked up by existing security protections, the researchers said.

"With the right permissions on the victim’s AWS account, a malicious actor using a single API call can transfer the victim’s used EIP to their own AWS account, thus practically gaining control over it," Aspir wrote. "In many cases it allows greatly increasing the impact of the attack and gaining access to even more assets."

**How Elastic IP Transfer Works**

AWS introduced EIP in October as a legitimate feature to allow transfer of Elastic IP addresses from one AWS account to another. An Elastic IP (EIP) address is a public and static IPv4 address that can be reached from the Internet and can be allocated to an Elastic Compute Cloud (EC2) instance for Web-facing activities, such as website hosting or communicating with network endpoints under a firewall.

AWS introduced the feature to make it easier to move Elastic IP addresses during AWS account restructuring by transferring the EIP to any AWS account — even AWS accounts that are not owned by someone or his or her organization, the researchers said.

With the feature, the transfer is a mere "two-step handshake between AWS accounts — the source account (either a standard AWS account or an AWS Organizations account) and the transfer account," Aspir explained.

**Abuse of Elastic IP Transfer**

The ease with which EIPs can now be transferred creates an unintentional issue, however — while it certainly facilitates the process of transferring IP for legitimate account owners, it also makes it easier for malicious actors as well, the researchers said.

Researchers described a basic scenario to illustrate how attackers can take advantage of EIP transfer, assuming that attackers already have permissions that allow them to "see" existing EIPs and their status, or whether or not they are associated with other computer resources.

Typically, EIPs are associated, but sometimes an organization keeps dissociated EIP for later use, or as a result of an unmanaged environment that keeps unused resources, the researchers said. "Either way, the attacker only needs to enable the EIP transfer, and the IP address is theirs," Aspir wrote.

Attackers can do this in two ways with the correct permissions: either transfer a dissociated EIP or remove the association of an associated EIP and then transfer it, the researchers said.

For the former, an adversary must have the following action in its attached Identity and Access Management (IAM) policy on AWS: "ec2:DisassociateAddress" action on the elastic IP addresses and the network interfaces that the IP addresses are attached to.

To transfer an EIP, a threat actor must have the following actions in its attached IAM policy: "ec2:DescribeAddresses" on all the IP addresses and "ec2:EnableAddressTransfer" on the EIP address that the attacker wants to transfer, the researchers said.

**Leveraging a Stolen EIP**

There are a wide range of attack scenarios that a threat actor can engage in after successfully transferring someone else's EIP to their own control.

In external firewalls used by the victim, for example, an attacker can communicate with the network endpoints behind the firewalls if there is an allow rule on the specific IP address, the researchers said.

Moreover, in cases in which a victim uses DNS providers such as a Route53 service, there could be DNS records of an "A" type in which the target is the transferred IP address. In this case, an attacker can abuse the address for hosting a malicious Web server under a legitimate victim’s domain, then launch other malicious actions, such as phishing attacks, the researchers said.

Attackers also can use the stolen IP address as C2, using it for malware campaigns that appear legitimate and thus fly under the radar of security defensives. A threat actor can even cause denial of service (DoS) to a victim's public services if they dissociate an EIP from a running endpoint and transfer it, the researchers said.

**Who's at Risk and How to Mitigate It**

Anyone using EIP resources in an AWS account is at risk, and thus must treat the EIP resources like other resources in AWS that are in danger of exfiltration, the researchers advised.

To protect themselves from an EIP transfer attack, Mitiga recommends that enterprises use the principle of least privilege on AWS accounts and even disable the ability to transfer EIP entirely if it's not a necessary feature on their environment.

To do this, an organization can use native AWS IAM features such as service control policies (SCPs), which offer central control over the maximum available permissions for all accounts in an organization, the researchers said, providing an example in their post of how this works.

AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range

Elon Musk claims plane-tracking data is a risky privacy violation. But the world loses a lot if this information disappears—and that's already happening.

I woke up Friday morning to the message I’d been expecting: “Your account, @Justin\_Ling has been locked for violating the Twitter Rules.”

Below was the offending tweet: a link to one of the few websites that provide real-time private jet flight data that “chief twit” Elon Musk, I wrote, “hasn't bullied into suppressing his flight data.”

Musk has accused these flight trackers of providing “basically assassination coordinates.” He has launched a crusade against these apps and anyone who shares them on his recently acquired social media platform. Accounts like mine were locked, while others were banned entirely—from the @ElonJet bot, which shared the location of Musk’s private plane, to reporters who picked up on his campaign. Twitter rules were rewritten on the fly to forbid publishing anyone’s “physical location.”

The chaotic few days prompted the European Union to warn Musk that silencing journalists would likely result in sanctions from EU regulators. US Representative Adam Schiff demanded that Musk reinstate the suspended accounts and explain to Congress why he decided to retaliate against the press in the first place.

As of Monday, following a poll asking users when he should lift the account suspensions, Musk reinstated some—but not all—of those accounts. 

Lost in the chaos is just how successful Musk has been at suppressing that real-time flight data on the internet. In so doing, he’s taking aim at an incredibly valuable source of information—which has helped researchers, journalists, and experts with everything from tracking Russian oligarchs to investigating the fate of missing aircraft to tracking down international hitmen. Musk isn’t the only one trying to keep this type of information out of the public’s hands. 

Both real-time and historical information on Musk’s main private jet—a 2015 Gulfstream G650ER, tail number N628TS—is conspicuously missing from the two main flight-tracking platforms: FlightAware and FlightRadar24.

FlightAware reports that its real-time data on Musk’s jet is unavailable “due to European government data rules,” while its historical data about the plane’s comings and goings was removed “per request from the owner/operator.” Looking up Musk’s jet on FlightRadar24 returns the message: “we could not find data.”

Even smaller tracking platforms, like AirportInfo—the account that led to my Twitter being locked—have taken Musk’s flight information offline.

“The ongoing hullabaloo about the location of Elon Musk’s airplane has caused us to stop displaying his plane at the moment,” says Christian Rommes, an AirportInfo administrator. “Because Musk is threatening legal action, we don’t want to take any risks.”

While Rommes says his office hasn’t heard from Musk’s legal team, they took the step as a precaution. “Don’t mess with the (former) richest man of the world,” he says.

Aircraft operators are required to report detailed information on their flight path to various national regulators, including the Federal Aviation Administration. That data is generally a matter of public record and is published to various websites popular amongst airline enthusiasts. 

Some companies, like FlightAware, augment government data with their own sources of real-time flight information. Other websites, like planespotters.net and airliners.net, allow users to submit photos taken of aircraft as they come and go around the world.

These services have proved incredibly useful for journalists and independent researchers in recent years.

When Malaysian Airlines flight 370 disappeared in 2014, these trackers provided the public with the same data investigators were puzzling over—a flight path that cut straight across Malaysia before stopping abruptly over the South China Sea. Those websites would become critical tools for independent researchers in the years that followed.

Journalists and the general public again turned to these services after Malaysia Airlines flight 17 and Ukrainian International Airlines flight 752 were shot down in 2014 and 2020, respectively. As early reports suggested disaster had struck, these websites showed clearly that the flights were interrupted in mid-air.

But the utility of real-time flight tracking goes far beyond disasters.

In more lighthearted examples, diehard soccer fans have used FlightRadar24 to figure out where prospective trades are heading ahead of a possible signing. In 2015, tens of thousands of football fanatics correctly identified star manager Jurgen Klopp’s private jet as it made its way to Liverpool, preempting the team’s announcement.

The availability of this data has made it possible to track everything from a shipment of US weapons to Ukraine to Nancy Pelosi’s tense visit to Taiwan, in defiance of Chinese warnings.

Some pilots have leaned into this new visibility. One made headlines after drawing a penis in the sky over Florida.

The websites have also contributed to embarrassment for some private jet owners. Thanks to @CelebJets, a bot account set up by 20-year-old programmer Jack Sweeney, who also created @ElonJet, scrutiny over the pace at which the rich and famous galavant around in their CO2\-intensive private planes reached a fever pitch in 2022. Marketing agency Yard calculated just how much environmental damage was caused by these private jet trips—particularly short-haul flights, where driving or taking public transit would take only marginally longer. That report led to a massive public shaming of celebrities like Taylor Swift, whose private jet addiction put 1,184 times more CO2 into the atmosphere than the average person produces in a whole year. 

A single Elon Musk flight from February burned nearly 4.5 tonnes of CO2.

Sweeney’s jet-tracking bots, which scraped that public flight data and sent it directly to Twitter, also published real-time information on Russian oligarchs. That bot helped open source investigators keep tabs on a cohort of the ultra-rich Russians mainly responsible for keeping Vladimir Putin’s regime running amid a costly war against Ukraine.

Investigative outlet Bellingcat recommends FlightRadar24 for open source investigators, and its researchers have relied on the tool to track likely Russian intelligence operatives, understand political tumult in Kazakhstan, follow the Venezuelan government’s semi-secret private jet, and keep tabs on NATO planes as they conduct operations. Other investigative outlets, like the Organized Crime and Corrupting Reporting Project, have similarly leveraged the data to hunt down shady dealings the world over.

But as Musk’s effort to suppress the information has shown, not everyone wants this data to remain public.

For starters, some planes can turn off their transponders, which relay their coordinates to flight regulators. That option is generally not available for private civilian aircraft.

More useful to someone like Musk is the FAA’s Limiting Aircraft Data Displayed list. Introduced by a 2018 act of Congress, it allows private jet owners to block their data from being disseminated by the FAA. A spokesperson for FlightRadar24 confirmed to WIRED that, as they rely primarily on the FAA’s data, they respect the block list.

Not everyone relies on the FAA, however. Planes regularly transmit basic information mid-flight, through Automatic Dependent Surveillance-Broadcast technology (ADS-B). 

ADS-Bexchange, which describes itself as the “world’s largest source of unfiltered flight data,” has continued reporting real-time information on Musk’s Gulfstream using that technology. Sweeney relies on that website for his bots—which have since moved over to Instagram and Mastodon.

“The position data shown by ADSBexchange is available to anyone who can spend $50 on Amazon and put the parts together,” reads a Q&A on its website. “It’s not secret.”

Users on the site’s Discord channel have spent recent days mocking Musk’s attempt to go after this information and have been clear that they do not intend to remove his jet from the platform. “ADSBx does no blocking or hiding for any reason,” one moderator wrote.

Anyone keeping tabs on Musk’s jet would have known that the Twitter CEO was heading to Qatar for the World Cup finale on Sunday. Doha was a key player in Musk’s Twitter takeover. While there, Musk snapped a selfie with a Russian state broadcaster. (Musk has also relied on a Dubai-based financier with ties to Russian oligarchs to finance his $44 billion purchase of the social network.)

Given how much scrutiny this type of flight data has brought on him and his business dealings, perhaps it’s no surprise that Musk has taken some desperate measures to hide this information. He reportedly offered Sweeney $5,000 to take the @ElonJet bot down. Sweeney countered, asking for $50,000—but the pair do not appear to have ever made a deal. Despite vowing to respect Sweeney’s right to publish the information, Musk banned all of his bots and his personal Twitter account earlier this month, while ADS-B’s Twitter account was similarly removed.

Steffan Watkins is a Canadian Osint researcher who has spent years tracking planes and ships using this kind of publicly available data. Last year, he worked with a United Nations panel of experts to identify planes smuggling weapons into Libya.

“Simply put, because flight data is publicly available through many different flight trackers, the public is empowered to fact-check any statement from any source, government or private,” he says. “Unsurprisingly, there are powerful people who don’t want the transparency that provides.”

Knowing more about where government planes and private jets are going to and coming from can yield surprising results. Watkins points out that the CIA’s extraordinary rendition program, which enabled the arbitrary detention and torture of suspected terrorists—many of whom were innocent—was exposed with the help of open source flight data.

“As the CIA kidnapped and flew citizens of other countries to black sites around the world for integration and torture on government-chartered bizjets, they left a trail of data in their wake that was used to unravel the routes used to ship their abductees,” Watkins told WIRED.

More recently, in 2018 researchers used ADS-B data to trace the route that a Saudi kill squad took on its way to murder _Washington Post_ journalist Jamal Khashoggi.

Earlier this year, the Saudi government submitted a proposal to the International Civil Aviation Organization to encrypt and restrict access to this data. “The uncontrolled access to detailed/accurate ADS-B data on the internet raised concerns by aircraft operators and owners on safety, security, and privacy of flights,” the Saudis wrote to the Montreal-headquartered UN body.

“Oh, the country that flies assassins around the world wants to hide aviation info from the public because of ‘security’?” Watkins says. “How quaint.”

A Saudi prince, Alwaleed bin Talal bin Abdulaziz, is the second-largest shareholder in Twitter. The site’s largest owner, Musk, is similarly relying on security concerns as he moves to ban this flight data from his platform.

In announcing the ban on real-time flight data last week, he alleged that a “crazy stalker” followed a car carrying one of his children. “Legal action is being taken against Sweeney & organizations who supported harm to my family,” he tweeted.

The Los Angeles Police Department sees no link between his private jet’s coordinates and the alleged stalking, according to _Washington Post_ reporters Drew Harwell and Taylor Lorenz—two journalists Musk banned on Twitter. A Bellingcat contributor geolocated the incident, which Musk recorded and published to Twitter (possibly in violation of his own rules), to a gas station miles away from the airport and nearly a full day after Musk’s jet had last been in the air.

Seeing how few—if any—of Musk’s critics and online tormentors have air-to-air intercept capabilities, and given that airports continue to be some of the most secure places in modern society, the Tesla owner’s security concerns appear overblown.

“Safety, security, and privacy sound like noble goals, but there isn’t a rash of violent attacks on private planes—or any planes—and no indication there will be,” Watkins says. “Musk’s gripes are almost Musk-specific; few people have a jet they themselves can call on and fly anywhere with on a whim.”

Elon Musk and the Dangers of Censoring Real-Time Flight Trackers

Definitive solution is ‘non-trivial’ since behavior arises from customers processing non-RFC compliant requests

Definitive solution is ‘non-trivial’ since behavior arises from customers processing non-RFC compliant requests

A vulnerability in how Akamai retrieves Amazon Web Services (AWS) S3 resources could allow attackers to stage web cache poisoning attacks against websites.

Web cache poisoning involves malicious clients forcing content delivery networks (CDN) or web servers to cache malicious content and later serve it to other clients requesting the same resource.

**Double misconfiguration**

Akamai can map various HTTP requests to their corresponding S3 bucket and cache them for later retrieval. Security researcher Tarunkant Gupta discovered that he could trick the Akamai server into caching files from malicious buckets.

“A few months back I encountered a non-exploitable AWS S3 misconfiguration and I was just revisiting it to check if that still exists or not, but this time I wanted to explore all attack possibilities,” he told The Daily Swig. After trying different attack vectors, Gupta ran into a misconfiguration in Akamai’s cache servers that could be leveraged to exploit the S3 bug.

RELATED Akamai WAF bypassed via Spring Boot to trigger RCE

Akamai said creating “a blanket ‘patch’” was “not trivial, as that may have a big negative impact on legitimate internet traffic”, according to a technical writeup from Gupta. In the meantime, Gupta said users can protect themselves by not accepting any headers containing Unicode characters at the Akamai level. 

**Tampering header commands**

To exploit the vulnerability, an attacker must send a web request for a benign file, but modify the header directives to add a header preceded by a hex value (e.g. ) and followed by the malicious S3 address.

If the request results in a cache hit, then the Akamai server will prioritize the header with the Unicode value over the original header and cache the malicious file to serve it to future users who request the same path.

“Because of the S3 misconfiguration, it prioritizes the first header over the target origin and Akamai’s incorrect parsing on the inclusion of Unicode character let me pass exactly what I wanted to the S3 buckets, a malicious host on the first occurrence of the header,” Gupta explained.

**Attacking at scale**

The attack will only work if benign and malign files are stored in S3 buckets located in the same region. The attacker can create S3 buckets in all available regions and upload the malicious file to all of them.

Exploiting the bug would then be a matter of brute-forcing the web cache poisoning attack on the target web resource to see which bucket works.

Gupta tested the attack with an SVG file, which is usually a cached file type and can contain JavaScript code – making it especially dangerous. But the attack can also work with any other file type cached by the server.

Gupta also developed a pair of Python scripts that can find targets stored in S3 buckets and cached by Akamai.

“This issue is very easy to exploit, and one simple cURL can create a malicious cache,” Gupta said. “An automation script was created to exploit at scale. This issue can result in various types of attacks such as XSS, JavaScript injection, open redirection, DoS, spoofing, etc.”

**RFC non-compliance**

Akamai told Gupta that the configuration issue “results from certain customers’ needs to process non-RFC compliant requests for their applications to function correctly, and therefore cloud vendors offering features to support such traffic unless explicitly instructed not to do so.”

Kaan Onarlioglu, senior infosec architect at Akamai, told The Daily Swig: “By default, Akamai edge servers allow certain invalid HTTP headers to pass through, treating them as custom headers.”

Catch up with the latest hacking techniques news and analysis

This feature is necessary to support large volumes of legitimate traffic flows and origin applications that rely on invalid headers to function correctly, he said. However, it could sometimes lead to unexpected interactions between Akamai and origin servers, depending on the origin’s request processing behavior.

“Akamai provides a strict header parsing configuration option to block traffic containing invalid headers, and we strongly urge our customers to utilize it unless that interferes with their operations,” Onarlioglu continued.

According to Onarlioglu, Akamai is currently working on making strict header parsing a default behavior instead of offering an opt-out mechanism for customers. The work is expected to be finalized early in 2023.

Gupta advised web developers to always follow RFC and its recommendations. “Many companies don’t follow them and also don't put any countermeasures around it, which sometimes becomes a serious issue,” he said.

RECOMMENDED Researcher discovers 70 web cache poisoning vulnerabilities, nets $40k in bug bounty rewards

Akamai wrestles with AWS S3 web cache poisoning bug 

Large vendors are commoditizing capabilities that claim to provide absolute security guarantees backed up by formal verification. How significant are these promises?

There is no software without bugs, right? While this is a common sentiment, we make assumptions that rely on the premise that software has no bugs in our day-to-day digital life. We trust identity providers (IDPs) to get authentication right, operating systems to perfectly comply with their specs, and financial transactions to always perform as intended. Even more vividly, we trust software with our physical safety by going on planes, driving a car that actively corrects our adherence to traffic lanes or our distance from the car in front of us, or undergoing certain surgeries. What makes this possible? Or to put it another way, why aren't planes falling out of the sky due to bad software?

Software quality assurance borrows from scientific and engineering tools. One way to ensure and improve software quality is to publicize it and give as many people as possible an incentive to try to break it.

Another is using design patterns or well-architecture frameworks rooted in engineering. For example, while not every software project can be put under the same level of scrutiny as the Linux kernel, which has been under scrutiny for decades, software projects can open source code to invite scrutiny or submit code for audits in hopes to gain some of the security guarantees.

And of course, there's testing. Whether static, dynamic, or real-time, done by the developer or by a dedicated team, testing is a major part of software development. With critical software, testing is usually an entirely separate project handled by a separate team with specific expertise.

Testing is good, but it doesn't claim to be comprehensive. There are no guarantees we found all the bugs because we don't know which bugs we don't know about. Did we already find 99% of Linux kernel bugs out there? 50%? 10%?

**The 'Absolute' Claim**

The research field of formal methods is looking at ways to assure you that there are no bugs in a certain piece of software, such as your stockbroker or certificate authority. The basic idea is to translate software into math, where everything is well-defined, and then create an actual proof that the software works with no bugs. That way, you can be sure that your software is bug-free in the same way you can be sure that every number can be decomposed to a multiplication of prime numbers. (Note that I don't define what a bug is. This will prove to be a problem, as we will later see.)

Formal method techniques have long been used for critical software, but they were extremely compute- and effort-intensive and so applied only to small pieces of software, such as a limited part of chip firmware or an authentication protocol. In recent years, advanced theorem provers like Z3 and Coq have made it possible to apply this technology in a larger context. There are now formally verified programming languages, operating systems, and compilers that are 100% guaranteed to work according to their specifications. Applying these technologies still requires both advanced expertise and a ton of computing power, which make them prohibitively expensive to most organizations.

Major cloud providers are performing formal verification of their fundamental stacks to reach high levels of security assurance. Amazon and Microsoft have dedicated research groups that work with engineering teams to incorporate formal verification methods into critical infrastructure, such as storage or networking. Examples include AWS S3 and EBS and Azure Blockchain. But the really interesting fact is that in the past few years, cloud providers have been trying to commoditize formal verification to sell to their customers.

**Decisively Solving Misconfiguration?**

Last year, AWS released two features that leverage formal verification to address issues that have long plagued their customers, namely network and identity and access management (IAM) misconfigurations. Network access and IAM configurations are complex, even for a single account, and that complexity grows drastically in a large organization with distributed decision-making and governance. AWS addresses it by giving its customers simple controls — such as "S3 buckets should not be exposed to the Internet" or "Internet traffic to EC2 instances must go through a firewall" — and guaranteeing to apply them in every possible configuration scenario.

AWS is not the first to address the misconfiguration problem, even for AWS-specific issues such as open S3 buckets. Cloud security posture management (CSPM) vendors have been addressing this issue for a while now, analyzing virtual port channel (VPC) configuration and IAM roles and identifying cases where privileges are too lax, security features are not properly used, and data can be exposed to the Internet. So what's new?

Well, this is where the absolute guarantee comes in. A CSPM solution works by creating a known-bad or known-good list of misconfigurations, sometimes adding context from your environment, and producing results accordingly. Network and IAM analyzers work by examining every potential IAM or network request and guaranteeing that they will not result in unwanted access according to your specification (such as "no Internet access"). The difference is in the guarantees about false negatives.

While AWS claims that there is no way it has missed anything, CSPM vendors say they are always on the lookout for new misconfigurations to catalog and detect, which is an admission that they did not detect these misconfigurations previously.

**Some Flaws of Formal Verification**

Formal verification is great for finding well-defined issues, such as memory security issues. However, things become difficult when trying to find logical bugs because those require specifying what the code is actually supposed to do, which is exactly what the code itself does.

For one thing, formal verification requires specifying well-defined goals. While some goals, like preventing access to the Internet, seem simple enough, in reality they are not. The AWS IAM analyzer documentation has an entire section defining what "public" means, and it's full of caveats. The guarantees it provides are only as good as the mathematical claims that it has coded.

There's also the question of coverage. AWS analyzers cover only a few major AWS services. If you route traffic into your network through an outbound connection channel, the analyzer wouldn't know. If some service has access to two IAM roles and can combine them to read from a confidential public bucket and write to a public one, the analyzer wouldn't know. Nevertheless, on some well-defined subset of the misconfiguration problem, formal verification provides stronger guarantees than ever before.

Getting back to the relative advantage question posed above, the difference is that the IAM and network analyzer claims that its list of issues detected is comprehensive, while CSPM claims that its list covers every misconfiguration known today. Here's the key question: Should you care?

**Should We Care About Absolute Guarantees?**

Consider the following scenario. You own a CSPM and look at the AWS network and IAM analyzer. Comparing the results of the two, you realize that they've identified the exact same problems. After some effort, you fix every single problem on that list. Relying only on your CSPM, you would feel you are in a good place now and could dedicate security resources elsewhere. By adding AWS analyzers to the mix, you now know — with an AWS guarantee — that you are in a good place. Are these the same results?

Even if we neglect the caveat of formal verification and assume that it catches 100% of issues, measuring the benefits over detection-based services like CSPM would be an exercise for every individual organization with its own security risk appetite. Some would find these absolute guarantees groundbreaking, while others would probably stick to existing controls.

These questions are not unique to CSPM. The same comparisons could be made for SAST/DAST/IAST web application security testing tools and formally verified software, to name one example.

Regardless of individual organization choices, one exciting side effect of this new technology would be an independent way to start measuring security solutions' false negative rates, pushing vendors to be better and providing them with clear evidence where they need to improve. This in and of itself is a tremendous contribution to the cybersecurity industry.

Are 100% Security Guarantees Possible?

Softr v2.0 was discovered to be vulnerable to HTML injection via the Name field of the Account page.

**Build custom apps for your business, as easy as lego**

|

Turn your Airtable or Google Sheets into client portals, partner apps or internal tools.

**Trusted by 80,000+ teams worldwide**

**Create apps powered by your data**

**Client Portals**

Create client or employee portals with self-service account creation and secure access to content.

**Internal Tools**

Enable your team to create internal apps like employee directories, CRM, and company wikis, in minutes.

**Marketplaces**

Create two sided marketplaces like Airbnb, Upwork and the like. Sell services, goods, pay securely with Stripe and run your entire business from one tool.

**Online Communities**

Supercharge your community and bring them together in one platform, with memberships, free and premium content. Share resources, sell courses, connect with each other and more.

**Resource Directories**

Curate resources of any kind and let users search, filter, and explore. Launch online courses, company wikis or upvoting sites directly from Airtable.

**Websites**

Quickly create multi-page marketing sites or high-converting landing pages. Add your custom domain for free.

**Softr is the easiest, fastest way to build a professional web app on Airtable. Zero learning curve.**

**80,000+ companies and creators use Softr**

I had already tried other tools, so when I started using Softr, it was clear immediately that the capabilities were beyond what I found elsewhere.

**Yohei Nakajima**

General Partner, Untapped Capital

Softr helps you take action on your ideas quickly by allowing you to leverage your Airtable data and build powerful websites and web apps. I was blown away by how user-friendly and well-documented the entire product was! I was able to create an app within hours without any external help.

**Karthik Puvvada (KP)**

Program Director, On Deck No-Code Fellowship

Softr’s ease and speed of use is it’s standout characteristic. No tool is faster to create with. Although there is limited design customizability, this should be viewed as a strength of Softr as it acts as a positive restraint to help you ship things more quickly than you ordinarily would.

**Max Haining**

Founder, 100DaysOfNoCode

They say that if you can’t explain it in a simple way, you don’t understand it well enough. I say the same thing about any software. If you can’t figure it out in the first 10 min by yourself without any tutorial, it’s probably not for you. Since the first moment we discovered Softr, we started the work.

**Akiki Rachid**

COO, Bookzdoctr Inc

It took me one day to build the product, learn the integrations, and see how the customer service acts. I was completely flashed that it is so easy, and that everything is working really well. So, I quickly decided 3 weeks later to set up our main page and transferred it to Softr.

**Sabine Wildemann**

Co-Founder, KidsCircle

I have been impressed with the flexibility of Softr. The ability to pull data from different Airtable bases into different blocks and display them on one page was one of the main reasons I chose Softr.

**Dan Smith**

Director, DS Automotive

As a small business, we needed to use a tool that could grow with us, and we feel that this is what Softr offers us. After wasting time and money trying every web builder under the sun, Softr came to save the day. We cannot recommend this platform enough – it's perfect, easy to use even for a non-technical person like me.

**Lucia Borraccino**

Founder, Nanny Network

I like the diversity of templates that are available and the thoughtfulness that has been taken in making the building process as simple as possible for non-coders.

**Kwaku Dapaah-Danquah**

Entrepreneurship Manager, YSYS

I used Softr to build the MVP for my company www.tallsize.com.When I discovered how easy it was to use Softr to create a frontend interface for our users, my mind was blown!!! It was so easy to set up that I literally launched my site in a single weekend. Their support team was incredible throughout this journey and the ability to customize everything the way I wanted was very intuitive and easy to accomplish.

**Nicole Murphy**

Founder, Tall Size

I have been using Softr for a few months now, and the list of new features & improvements is PHENOMENAL. A no-brainer pick for now and a really good bet for the future!

**Nic Touron**

Founder, ToolMeUp

With Softr, I’m able to create beautifully intuitive and responsive front-ends that integrate directly with Airtable and Stripe. Softr allows me to create and iterate at least twice as fast as traditional web platforms.

**Connor Gustafson**

Founder, LendingApp

Softr is THE no-code website builder to use. From SEO and site responsiveness to database backends and customer support, Softr is the deal of the century!

**Patrick Ford**

Founder, Adastacks

**Simple, yet powerful**

**As simple as building lego**

Start from a template or from 100+ pre-built blocks and customize any element on the page. No design or coding skills needed.

**Build platforms, not just sites**

Turn your Airtable data into a full-stack web-app with out-of-the-box memberships, payments and business logic, all in one place.

**Turn into a mobile app, with one click**

Immediately made available on both Apple and Android devices, without the extra effort.

**Start now, go live today**

Don't spend hours learning new tools. Softr is the quickest way to put a product in the hands of your customers. Changing things later is easy and instant.

**This website is built on Softr**

Join 80,000+ companies already using Softr.

**Powerful pre-built functionality out of the box**

Softr does the heavy lifting of all technical work for you, so you can focus on your business.

**Secure user accounts**

Keep yours and your customers' data safe with server-side password protection.

**Free custom domain**

Our free tier includes hosting on custom domains. No credit card required.

**Team Collaboration**

Invite your teammates to manage the application and set granular permissions

**Easy online payments**

Enable one-off purchases or subscriptions in seconds.

**Optimized for SEO**

Pages built with Softr are automatically indexed by search engines.

**Performant, safe, and scalable**

Enjoy Amazon AWS-powered security and performance.

**Integrate with the tools you love**

Seamlessly integrate your Softr app with the modern and trusted tools of your workflow like Zapier, Google Analytics, Stripe, Hotjar, Mailchimp and more.

**Run your business on Softr + Airtable**

**For Companies**

Explore how SMBs and startups use Softr to manage and grow their business.

LEARN MORE

**For Creators**

Learn how entrepreneurs of all sizes are starting new ventures in days with Softr.

LEARN MORE

**For Non-Profits**

Organizations of all kinds can run their operations online, saving time and money.

**Learn about companies and creators using Softr**

CVE-2022-40434: Build website, web app & portals on Airtable without code | Softr

By Waqas
In total, 117 million files were exposed due to two misconfigured Amazon Web Services S3 buckets.
This is a post from HackRead.com Read the original post: Top American Online Ed Platform Leaks 22TB of Data

The incident took place when two misconfigured AWS S3 buckets belonging to McGraw Hill, one of the “big three” educational publishers in the US, were left exposed without any security authentication.

The cyber security researchers at vpnMentor discovered a couple of **misconfigured Amazon Web Services (AWS) S3 buckets** containing a massive trove of data belonging to a USA-based education publishing firm, McGraw Hill.

The platform is among the top three educational content publishers in the United States, and it is also widely used by educational institutions across Canada for facilitating online classes. It builds educational software for students who can access lectures and upload homework on its portal.

**Findings Details**

Researchers discovered two misconfigured Amazon Web Services S3 buckets, the owner of which was identified to be **McGraw Hill**. The researchers discovered one non-production bucket containing over 69 million documents and 10TB+ of data and one production bucket containing 12TB+ of data.

In total, 22TB of data was exposed, and the buckets contained 117 million files. The buckets were discovered on 12 June 2022. vpnMentor’s researchers contacted McGraw Hill first on 13 June, 2022 then again on 15 June and 20 June 2022.

They contacted them the fourth time on 27 June 2022 and finally reached USA CERT several times between 27 June and 4 July 2022. In total, vpnMentor tried to contact McGraw Hill nine times. On 7 July 2022, vpnMentor contacted Amazon Web Service, and finally, they received a response on 9 July 2022.

**What Data Got Exposed?**

According to vpnMentor’s **blog post**, around 100,000 students could be exposed to numerous online attacks due to this data breach. Their private data, such as personal details and grades, could be at risk, and anyone could access it using a web browser.

Further, the exposed data included excel sheets containing student data such as email IDs, names, and grades, documents featuring students’ assignments, performance reports, and grades, and documents containing syllabi for the teachers.

Screenshot taken from one of the exposed files (Credit: vpnMentor)

Moreover, the data included reading material for different courses, source code for McGraw Hill, and private digital keys from McGraw Hill. The leaking of source code is dangerous as it can help threat actors to search for other flaws.

Reportedly, the breach or incident impacted students from the following universities:

1.  McGill University
2.  University of Illinois
3.  University of Toronto
4.  University of Michigan
5.  Johns Hopkins University
6.  Washington University in St Louis
7.  University of California, Los Angeles

**What Caused the Exposure?**

Researchers noted that McGraw Hill was using AWS S3 buckets for storing data from their online education service since the exposed data belonged to the company’s online learning portal that was connected to the AWS account.

Researchers were certain that Amazon wasn’t responsible for the misconfigured database. After several failed attempts to bring the issue to the company’s notice, vpnMentor could contact them, and the sensitive files were removed from public exposure on 20 July.

The data exposure might have a far-reaching impact because users worldwide are affected by this exposure. However, it is unclear whether the servers were accessed by a **third party with malicious intent** or not.

Nevertheless, at the time of publishing this article, both exposed servers had been secured, thanks to vpnMentor’s non-stop alerts to concerned authorities.

1.  **AWS bucket exposed 421GB of Artwork Archive data**
2.  **350 million email addresses exposed in AWS S3 bucket**
3.  **S3 Cloud Bucket Exposed 100GB of Classified NSA Data**
4.  **Pegasus Airlines Leaked 6.5TB of Data in AWS S3 Bucket**
5.  **S3 bucket exposed 182GB of senior US, Canada citizens’ data**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Top American Online Ed Platform Leaks 22TB of Data

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 9 and Dec. 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Tag

#amazon