A zip slip vulnerability in the file upload function of Chamilo v1.11 allows attackers to execute arbitrary code via a crafted Zip file.

CVE-2022-40407: Security issues - Chamilo LMS

For decades, security researchers warned about techniques for hijacking virtualization software. Now one group has put them into practice.

For decades, virtualization software has offered a way to vastly multiply computers’ efficiency, hosting entire collections of computers as “virtual machines” on just one physical machine. And for almost as long, security researchers have warned about the potential dark side of that technology: theoretical “hyperjacking” and “Blue Pill” attacks, where hackers hijack virtualization to spy on and manipulate virtual machines, with potentially no way for a targeted computer to detect the intrusion. That insidious spying has finally jumped from research papers to reality with warnings that one mysterious team of hackers has carried out a spree of “hyperjacking” attacks in the wild.

Today, Google-owned security firm Mandiant and virtualization firm VMware jointly published warnings that a sophisticated hacker group has been installing backdoors in VMware’s virtualization software on multiple targets’ networks as part of an apparent espionage campaign. By planting their own code in victims’ so-called hypervisors—VMware software that runs on a physical computer to manage all the virtual machines it hosts—the hackers were able to invisibly watch and run commands on the computers those hypervisors oversee. And because the malicious code targets the hypervisor on the physical machine rather than the victim’s virtual machines, the hackers’ trick multiplies their access and evades nearly all traditional security measures designed to monitor those target machines for signs of foul play.

“The idea that you can compromise one machine and from there have the ability to control virtual machines _en masse_ is huge,” says Mandiant consultant Alex Marvi. And even closely watching the processes of a target virtual machine, he says, an observer would in many cases see only “side effects” of the intrusion, given that the malware carrying out that spying had infected a part of the system entirely outside its operating system.

Mandiant discovered the hackers earlier this year and brought their techniques to VMware’s attention. Researchers say they’ve seen the group carry out their virtualization hacking—a technique historically dubbed hyperjacking in a reference to “hypervisor hijacking”—in fewer than 10 victims’ networks across North America and Asia. Mandiant notes that the hackers, which haven’t been identified as any known group, appear to be tied to China. But the company gives that claim only a “low confidence” rating, explaining that the assessment is based on an analysis of the group’s victims and some similarities between their code and that of other known malware.

While the group’s tactics appear to be rare, Mandiant warns that their techniques to bypass traditional security controls by exploiting virtualization represent a serious concern and are likely to proliferate and evolve among other hacker groups. “Now that people know this is possible, it will point them toward other comparable attacks,” says Mandiant’s Marvi. “Evolution is the big concern.”

In a technical writeup, Mandiant describes how the hackers corrupted victims’ virtualization setups by installing a malicious version of VMware’s software installation bundle to replace the legitimate version. That allowed them to hide two different backdoors, which Mandiant calls VirtualPita and VirtualPie, in VMware’s hypervisor program known as ESXi. Those backdoors let the hackers surveil and run their own commands on virtual machines managed by the infected hypervisor. Mandiant notes that the hackers didn’t actually exploit any patchable vulnerability in VMware’s software, but instead used administrator-level access to the ESXi hypervisors to plant their spy tools. That admin access suggests that their virtualization hacking served as a persistence technique, allowing them to hide their espionage more effectively long-term after gaining initial access to the victims’ network through other means.

In a statement to WIRED, VMware said that “while there is no VMware vulnerability involved, we are highlighting the need for strong operational security practices that include secure credential management and network security.” The company also pointed to a guide to “hardening” VMware setups against this sort of hacking, including better authentication measures to control who can tamper with ESXi software and validation measures to check whether hypervisors have been corrupted.

Since as early as 2006, security researchers have theorized that hyperjacking presents a method to stealthily spy on or manipulate victims using virtualization software. In a paper that year, Microsoft and University of Michigan researchers described the potential for hackers to install a malicious hypervisor they called a “hypervirus” on a target machine that places the victim inside a virtual machine run by the hacker without the victim’s knowledge. By controlling that malicious hypervisor, everything on the target machine would be under the hacker’s control, with practically no sign within the virtualized operating system that anything was amiss. Security researcher Joanna Rutkowska dubbed her own version of the technique a Blue Pill attack, since it trapped the victim in a seamless environment entirely created by the hacker, _Matrix_\-style, without their knowledge.

What Mandiant observed isn’t exactly that Blue Pill or hypervirus technique, argues Dino Dai Zovi, a well-known cybersecurity researcher who gave a talk at the Black Hat security conference about hypervisor hacking in the summer of 2006. In those theoretical attacks, including his own work, a hacker creates a new hypervisor without the victim’s knowledge, while in the cases Mandiant discovered, the spies merely hijacked existing ones. But he points out that this is a far easier and yet highly effective technique—and one he’s expected for years. “I’ve always assumed it was possible and even being done,” says Dai Zovi. “It’s just a powerful position that gives full access to any of the virtual machines running on that hypervisor.”

Aside from the difficulty of detecting the attack, he points out that it also serves as a multiplier of the hacker’s control: In virtualization setups, two to five virtual machines can typically run on any physical computer, and there are often thousands of virtual machines on an organization’s network running as everything from PCs to email servers. “That’s a lot of scale and leverage,” says Dai Zovi. “For an attacker, it’s a good return on their investment.”

Mandiant suggests in its writeup of the hacking campaign that attackers may be turning to hyperjacking as part of a larger trend of compromising network elements that have less rigorous monitoring tools than the average server or PC. But given the power of the technique—and the years of warnings—it’s perhaps most surprising that it hasn’t been put to malicious use earlier.

“When people first hear about virtualization technology, they always raise their eyebrows and ask, ‘What happens if someone takes control of the hypervisor?’” says Mandiant’s Marvi. “Now it’s happened.”

Mystery Hackers Are ‘Hyperjacking’ Targets for Insidious Spying

Double free in DOMStorage in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2019-5797

External researchers contributed 16 of the 20 security updates included in the new Chrome 106 Stable Channel rollout, including five high-severity bugs.

Chrome is touting beefed-up security with the release of Chrome 106, which fixes 20 existing bugs, five of them high-severity. 

Of the 20 total security fixes included, 16 were found by external researchers through Google's bug bounty program. A blog post from Google Chrome's Srinivas Sista listed the specific CVEs spotted by the bug bounty hunters, including five designated high-severity, which are as follows:

*   CVE-2022-3304: Use after free in CSS. _Reported by Anonymous on 2022-09-01_
*   CVE-2022-3201: Insufficient validation of untrusted input in Developer Tools. _Reported by NDevTK on 2022-07-09_
*   CVE-2022-3305: Use after free in Survey. _Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-24_
*   CVE-2022-3306: Use after free in Survey. _Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-27_
*   CVE-2022-3307: Use after free in Media. _Reported by Anonymous Telecommunications Corp. Ltd. on 2022-05-08_

The biggest external researcher payout for far a bug that contributed to the latest Chrome 106 security update, according to Sista, was $9,000, the lowest was $1,000. Many payout amounts for other Chrome bug hunters are listed as "$TBD." 

As usual, Google did not list any technical details of the bugs. 

"We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel," Sista wrote. "As usual, our ongoing internal security work was responsible for a wide range of fixes." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Quashes 5 High-Severity Bugs With Chrome 106 Update

In GraphicsMagick, a heap buffer overflow was found when parsing MIFF.

Version：GraphicsMagick 1.4 snapshot-20220322

==3682383==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61700000032e at pc 0x0000003c4a8e bp 0x7fffffff40d0 sp 0x7fffffff3898
WRITE of size 6146 at 0x61700000032e thread T0
    #0 0x3c4a8d in fread (/home/user/fuzzing_asanGrap/bin/gm+0x3c4a8d)
    #1 0x52bb62 in ReadBlob /home/user/test/GraphicsMagick-1.4.020220322/magick/blob.c:3228:19
    #2 0xc1f532 in ReadMIFFImage /home/user/test/GraphicsMagick-1.4.020220322/coders/miff.c:1847:61
    #3 0x5b092e in ReadImage /home/user/test/GraphicsMagick-1.4.020220322/magick/constitute.c:1630:13
    #4 0x5af68b in PingImage /home/user/test/GraphicsMagick-1.4.020220322/magick/constitute.c:1386:9
    #5 0x4b4ef9 in IdentifyImageCommand /home/user/test/GraphicsMagick-1.4.020220322/magick/command.c:8490:17
    #6 0x4ed162 in MagickCommand /home/user/test/GraphicsMagick-1.4.020220322/magick/command.c:8973:17
    #7 0x514b89 in GMCommandSingle /home/user/test/GraphicsMagick-1.4.020220322/magick/command.c:17528:10
    #8 0x51350f in GMCommand /home/user/test/GraphicsMagick-1.4.020220322/magick/command.c:17581:16
    #9 0x7ffff73030b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    #10 0x3ab2fd in _start (/home/user/fuzzing_asanGrap/bin/gm+0x3ab2fd)

0x61700000032e is located 0 bytes to the right of 686-byte region [0x617000000080,0x61700000032e)
allocated by thread T0 here:
    #0 0x427da3 in realloc (/home/user/fuzzing_asanGrap/bin/gm+0x427da3)
    #1 0x65f1dc in _MagickReallocateResourceLimitedMemory /home/user/test/GraphicsMagick-1.4.020220322/magick/memory.c:769:36

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/user/fuzzing_asanGrap/bin/gm+0x3c4a8d) in fread
Shadow bytes around the buggy address:
  0x0c2e7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2e7fff8060: 00 00 00 00 00[06]fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

command：./gm identify example.miff

example.miff link:

https://drive.google.com/file/d/1kW2wd0S\_oCffl23eiRjwErAAMsb3muc-/view?usp=sharing

CVE-2022-1270: GraphicsMagick / Bugs / #664 [bug]Heap buffer overflow when parsing MIFF

The team's annual survey finds that the right development culture is better than technical measures when it comes to shoring up software supply chain security practices. An additional benefit: Less burnout.

Companies that focus on trusting their developers, looking beyond blame, and striving for strong cooperation tend see greater adoption of measures that contribute to more secure software supply chains.

According to the annual 2022 Accelerate State of DevOps published on Sept. 28 by Google Cloud's DevOps Research and Assessment (DORA) team also found that DevOps teams that focused on good security practices had a lower rate of burnout, with low-security teams having 1.4 times greater odds of voicing high levels of stress.

While technical infrastructure did help, the survey shows that starting with, or developing, the right culture is extremely important.

For instance, the DORA survey at the heart of the report measured DevOps teams' adherence to 13 different aspects measured by the Supply-chain Levels for Software Artifacts (SLSA) security framework, which calls for building product releases using centralized continuous integration/continuous development (CI/CD) systems, storing change histories indefinitely, defining software builds through scripts, and isolating the build process. And even though the majority of companies had completely or moderately implemented all of the 13 practices, those that had more collaborative and less blame-oriented cultures did better, the DORA survey found.

"More open, generative cultures ... tend to have positive effects for organizational performance as well as for the people who work there," says Todd Kulesza, one of the authors of the report and a senior user-experience (UX) researcher at Google Cloud. "What we want to see is — if there is a security problem — we want the engineers to feel empowered and safe to bring attention to that. You don't want your developers to sweep things under the rug, especially in terms of the security."

The survey unfortunately found that there's work to do on the collaborative front: Many software developers feel there is a gulf between programmers and application-security teams.

"High-friction approaches to security can be frustrating for developers and ineffective overall, as people try to avoid the friction points," the report stated. "The developers we spoke with wanted to do the right thing, and often discussed frustration that shipping features or fixes consistently took priority over potential security issues."

**Supply Chain Security: Critical Barometer for DevOps Performance**

In its eighth year, the DevOps Research and Assessment (DORA) team's annual report has strived to identify best practices among teams that use the DevOps approach to software development. In 2021, the DORA group found that software supply chain security had become a critical component of high-performing DevOps organizations, so this year, the researchers focused on determining what led to successful outcomes on that front.

    

Most DevOps teams have adopted SLSA practices. Source: Google Cloud's 2022 DORA report.

In the survey, Google focused on adoption of security practices that are part of supply chains.

In addition to DevOps teams' adherence to the SLSA framework, the survey asked developers the degree to which they comply with dozens of security practices that form the Secure Software Development Framework (SSDF) created by the US National Institute of Standards and Technology (NIST).

Organizations that had highly cooperative teams that shared risks and responsibilities, and prioritized learning over blame — so-called "generative" cultures — were more likely to adopt more than two dozen of those security practices, the survey of DevOps practitioners found.

"A lot of these practices — I'm not going to say that they are 100% established across organizations — but a lot of these practices have 50% or more of practitioners reporting that it is established or very well established," says John Speed Meyers, a co-author of the report and a security data scientist at software supply chain security firm Chainguard. "There is a lot of room for improvement, but these things are not so hard that no one is doing it."

The survey also measured developer burnout, based on how highly they rated their agreement with statements such as "my feelings about work negatively affect my life outside of work" and "I am indifferent or cynical about my work." Teams that did not focus on security were 40% more likely to agree or strongly agree with these statements.

In addition, teams that had the worst change failure rates and took the longest to deploy — anywhere from once a month to once every six months — also had high rates of burnout.

Google Cloud DORA: Securing the Supply Chain Begins With Culture

By Waqas
Before being removed, the Scylla ad fraud campaign used over 90 malicious apps to carry out its operation against Android and iOS users.
This is a post from HackRead.com Read the original post: Scylla Ad Fraud Attack on iOS and Android Users Halted by Apple and Google

The Satori Threat Intelligence and Research Team at Human identified a new wave of cyberattacks involving the use of malicious applications against iOS and Android users. The alarming fact is that these infected apps boast millions of downloads.

The good news is that the attack has been halted by Apple and Google after their prompt response to the researchers.

**Malicious Apps Found on Legitimate Platforms**

Reportedly, 89 malicious apps were discovered and used in a mobile fraud ad campaign. The apps collectively boasted around 13 million downloads. The researchers have dubbed this campaign Scylla.

Per their research, this campaign is the third installment of the Poseidon fraud campaign discovered in 2019, and its second installment was named Charybdis, which was detected in 2020.

You may be wondering where have you heard the term Scylla and Charybdis before. “Being between Scylla and Charybdis” is an idiom deriving from Greek mythology, which has been associated with the proverbial advice “to choose the lesser of two evils”.

In Greek mythology, Scylla and Charybdis were two monsters who lived on either side of a narrow channel of water. Scylla was a six-headed monster (_also featured in the TV series Prison Break_) who lived on a rock in the middle of the channel. Charybdis was a whirlpool who lived on the other side of the channel.

As for the malicious campaign, out of these 89 apps, 89 are Android, and 9 are iOS-based apps. The malicious apps perform ad fraud via hidden apps, spoofing, and fake clicks. What makes Scylla different from the earlier two mobile fraud campaigns is that this time the attackers have found a way to target iOS devices too.

**More Android Malware News**

1.  New malware targeting IoT devices, Android TV globally
2.  LG Smart TV Screen Bricked in Android Ransomware Attack
3.  Top 10 Android Educational Apps That Collect Most User Data?
4.  Fake Banking Rewards Apps Install Malware on Android Phones
5.  Hacked Android phones mimicked TV products for fake ad views

**Campaign Analysis**

According to the company’s blog post, just like the Charybdis campaign, the apps used in Scylla also contained obfuscated code. The attack mechanism is also somewhat the same as the apps target advertising software development kits/SDKs.

One of the iOS apps called “Wood Sculptor,” linked to the Scylla ad fraud campaign (Source: Satori Threat Intelligence and Research Team)

It is worth noting that some apps contained code that posed as completely different when observed by advertisers and ad tech firms.

> “These tactics, combined with the obfuscation techniques first observed in the Charybdis operation, demonstrate the increased sophistication of the threat actors behind Scylla.”
> 
> Satori Threat Intelligence and Research Team

**Application Detailed Overview**

Human researchers detected 29 Android apps posed as more than six thousand CTV-based apps to encourage higher ad proceeds than mobile games. Conversely, some apps contained code that informed advertisers of the ads they displayed to the user.

This means the code rendered ads after the apps were closed, such as when the home screen was on. Some apps captured the information about what ads the user clicked on and transferred the info to advertisers as a fake click. Most of the malicious apps were games.

Google and Apple were promptly informed about malicious apps’ presence and quickly removed from their respective platforms. Advertising SDK developers were also informed about the attack.

Human also published a list of malicious apps and urged users to remove them if installed on their devices. To remove these apps, just tap and hold the App and tap on the Remove option. Then tap on Delete App.

**More iOS Malware News**

1.  SolarWinds hackers exploited iOS 0-day to hack iPhones
2.  Malicious SDK spying, defrauding users through iOS apps
3.  Facebook removes accounts for iOS, and Android malware
4.  Fake Covid-19 apps hit Android and iOS users with spyware
5.  Install Malware on iPhone When it is Powered Off – Research

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Scylla Ad Fraud Attack on iOS and Android Users Halted by Apple and Google

Ubuntu Security Notice 5644-1 - It was discovered that the framebuffer driver on the Linux kernel did not verify size limits when changing font or screen size, leading to an out-of- bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Duoming Zhou discovered that race conditions existed in the timer handling implementation of the Linux kernel's Rose X.25 protocol layer, resulting in use-after-free vulnerabilities. A local attacker could use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-5644-1  
September 27, 2022

linux-gcp-5.15 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems

Details:

It was discovered that the framebuffer driver on the Linux kernel did not  
verify size limits when changing font or screen size, leading to an out-of-  
bounds write. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2021-33655)

Duoming Zhou discovered that race conditions existed in the timer handling  
implementation of the Linux kernel's Rose X.25 protocol layer, resulting in  
use-after-free vulnerabilities. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2022-2318)

Roger Pau Monné discovered that the Xen virtual block driver in the Linux  
kernel did not properly initialize memory pages to be used for shared  
communication with the backend. A local attacker could use this to expose  
sensitive information (guest kernel memory). (CVE-2022-26365)

Roger Pau Monné discovered that the Xen paravirtualization frontend in the  
Linux kernel did not properly initialize memory pages to be used for shared  
communication with the backend. A local attacker could use this to expose  
sensitive information (guest kernel memory). (CVE-2022-33740)

It was discovered that the Xen paravirtualization frontend in the Linux  
kernel incorrectly shared unrelated data when communicating with certain  
backends. A local attacker could use this to cause a denial of service  
(guest crash) or expose sensitive information (guest kernel memory).  
(CVE-2022-33741, CVE-2022-33742)

Jan Beulich discovered that the Xen network device frontend driver in the  
Linux kernel incorrectly handled socket buffers (skb) references when  
communicating with certain backends. A local attacker could use this to  
cause a denial of service (guest crash). (CVE-2022-33743)

Oleksandr Tyshchenko discovered that the Xen paravirtualization platform in  
the Linux kernel on ARM platforms contained a race condition in certain  
situations. An attacker in a guest VM could use this to cause a denial of  
service in the host OS. (CVE-2022-33744)

It was discovered that the virtio RPMSG bus driver in the Linux kernel  
contained a double-free vulnerability in certain error conditions. A local  
attacker could possibly use this to cause a denial of service (system  
crash). (CVE-2022-34494, CVE-2022-34495)

Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter  
subsystem in the Linux kernel did not properly handle rules that truncated  
packets below the packet header size. When such rules are in place, a  
remote attacker could possibly use this to cause a denial of service  
(system crash). (CVE-2022-36946)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.15.0-1018-gcp     5.15.0-1018.24~20.04.1  
   linux-image-gcp                 5.15.0.1018.24~20.04.1

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5644-1  
   CVE-2021-33655, CVE-2022-2318, CVE-2022-26365, CVE-2022-33740,  
   CVE-2022-33741, CVE-2022-33742, CVE-2022-33743, CVE-2022-33744,  
   CVE-2022-34494, CVE-2022-34495, CVE-2022-36946

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1018.24~20.04.1

Ubuntu Security Notice USN-5644-1

The internet infrastructure company has an alternative tool to check whether you’re human—and it doesn’t force you to pick out buses in tiny boxes.

There's a uniquely bitter rage that comes from being asked to click every box that contains a parking meter only to then be told that you missed one because of a tiny sliver of gray that barely floated into the periphery of an otherwise empty, adjacent square. It's a familiar fury, and one that captchas have been provoking across the web for years, but these maddening tools are important for blocking bots from conducting fraud and other abuse. Google's reCaptcha, the dominant tool around the world for implementing these checks, came out with a version in 2018 that uses machine learning to silently check humanness behind the scenes and phase out the garbled, blurry strings of letters and grids full of traffic lights. This week, the internet infrastructure company Cloudflare is releasing a competitor.

Like reCaptcha, Cloudflare's new alternative, dubbed Turnstile, is free, and you don't have to be a Cloudflare customer to put it on your site. Turnstile is based on a tool called Cloudflare Managed Challenge that the company released for its own services in April. When you do a captcha, you are completing a “challenge” of your humanness. Managed Challenge, on the other hand, runs quick and silent checks of your browser's technical behavior and other telemetry in an attempt to determine that you are human without asking you to do anything. Only when the tool lacks adequate confidence will it show you a “harder challenge” or a puzzle to solve. And Managed Challenge, which is an enterprise product for Cloudflare customers, is constantly testing different types of puzzles to find the options that are less frustrating for users. 

Anyone can now implement Turnstile for free through an application programming interface. You can set it up to only run invisible challenges that don't appear to the user at all or elect to have the system show a button for users to click as an additional humanness check. Unlike Managed Challenge, Turnstile never shows harder challenges or Captchas.

“If a person were walking down the street next to a robot, even without asking the person or robot any questions, you’d be able to observe differences between them just by watching them walk past,” says Cloudflare's chief technology officer, John Graham-Cumming. “Turnstile can do that for the signals your computer sends to the website you’re accessing, which include what web browser you are using or what device this is coming from. In the case of a machine trying to impersonate a human user, they often don’t get all these details right—there’s usually something ‘off’ about the request.”

Invisible challenges include tests like complex equations that devices are asked to solve. Turnstile has data about how long it takes different devices—say, a Macbook Air or a Samsung Galaxy—to solve the challenge. If a device claims to be a Samsung Galaxy S22, but solves the challenge much more quickly than that device should be able to, it may indicate that the request is really coming from an automated system run out of a data center. 

Courtesy of Cloudfare

Captchas are an important security defense across the web, but Cloudflare is billing Turnstile as particularly privacy-protective as well. The tool will look at some browser session data, like browser characteristics and data from website rendering mechanisms, but the service doesn't check advertising cookies or login cookies. And the company plans to outsource as much data review as possible to minimize how much Cloudflare ever sees. For example, Turnstile will check for Apple's "Private Access Tokens," launched this year as a tool for attesting that a user is human and reducing the need for captchas. 

Researchers have found in recent years that Google's reCaptcha checks to see whether a user has a Google login cookie as one of the factors in determining whether they are human. Google denies that reCaptcha data is used for anything other than challenges, but some have pointed out that the data could be used in targeted advertising campaigns.

Cloudflare says that since launching Managed Challenge, it has dramatically reduced the number of captchas it serves.

“Before we introduced Cloudflare Managed Challenge, if we believed a visitor was a bot but our customer wanted us to confirm that, then we would serve a Captcha 100 percent of the time,” Graham-Cumming says. “After introducing Cloudflare Managed Challenge, that number was reduced down to 9 percent. Today, that number is further reduced down to 3 percent.”

The company adds that users previously spent an average of 32 seconds doing captchas on its own sites. Since implementing Managed Challenge, the average wait time is one second because of the new feature's silent, behind-the-scenes challenges. In the Cloudflare dashboard, the captcha option is now called “Legacy Captcha." The company says that, “this more accurately describes what CAPTCHA is: an outdated tool that we don’t think people should use."

Turnstile is part of a broader industry effort to rework captchas and make them less frustrating for users. But reCaptcha's ubiquity and familiarity may hinder adoption of new alternatives. As the field shifts, though, it may be ripe for a new player—especially one that doesn't make you want to chuck your laptop into the sea.

_Updated 9-28-2022, 6:20 pm ET: Included additional details about Turnstile and comment from Cloudflare. We also clarified the types of “challenges” Turnstile will present users._

Cloudflare Takes a Stab at a Captcha That Doesn’t Suck

Pornhub is trialing a new automated tool that pushes CSAM-searchers to seek help for their online behavior. Will it work?

There are huge volumes of child sexual abuse photos and videos online—millions of pieces are removed from the web every year. These illegal images are often found on social media websites, image hosting services, dark web forums, and legal pornography websites. Now a new tool on one of the biggest pornography websites is trying to interrupt people as they search for child sexual abuse material and redirect them to a service where they can get help.

Since March this year, each time someone has searched for a word or phrase that could be related to child sexual abuse material (also known as CSAM) on Pornhub’s UK website, a chatbot has appeared and interrupted their attempted search, asking them whether they want to get help with the behavior they’re showing. During the first 30 days of the system’s trial, users triggered the chatbot 173,904 times.

“The scale of the problem is so huge that we really need to try and prevent it happening in the first place,” says Susie Hargreaves, the chief executive of the Internet Watch Foundation (IWF), a UK-based nonprofit that removes child sexual abuse content from the web. The IWF is one of two organizations that developed the chatbot being used on Pornhub. “We want the results to be that people don’t look for child sexual abuse. They stop and check their own behavior,” Hargreaves says.

The chatbot appears when someone searches Pornhub for any of 28,000 terms it has identified that it believes could have links to people looking for CSAM. And searches can include millions of potential keyword combinations. The popup, which has been designed by anti-child abuse charity the Lucy Faithfull Foundation alongside the IWF, will then ask people a series of questions and explain that what they are searching for may be illegal. The chatbot tells people it is run by the Lucy Faithfull Foundation and says it offers “confidential, nonjudgmental” support. People who click a prompt saying they would like help are offered details of the organization’s website, telephone help line, and email service.

“We realized this needs to be as simple a user journey as possible,” says Dan Sexton, the chief technology officer at the IWF. Sexton explains the chatbot has been in development for more than 18 months and involved multiple different groups as it was designed. The aim is to “divert” or “disrupt” someone who may be looking for child sexual abuse material and to do so using just a few clicks.

The key to the system’s success is at the heart of its premise: Does this kind of behavioral nudge stop people from looking for CSAM? The results can be difficult to measure, say those involved with the chatbot project. If someone closes their browser after seeing the chatbot, that could be considered a success, for example, but it is impossible to know what they did next.

A behavioral nudge isn’t unprecedented in efforts to reduce online harms though, and there is some data by which the results can be measured. It is possible to see how much time people interact with the chatbot and the number of clicks people make to get help. Before Pornhub started trialing the chatbot, it was already pointing people toward the Lucy Faithfull Foundation website using a static page when they searched for any of its 28,000 terms.

Using the chatbot is more direct and maybe more engaging, says Donald Findlater, the director of the Stop It Now help line run by the Lucy Faithfull Foundation. After the chatbot appeared more than 170,000 times in March, 158 people clicked through to the help line’s website. While the number is “modest,” Findlater says, those people have made an important step. “They’ve overcome quite a lot of hurdles to do that,” Findlater says. “Anything that stops people just starting the journey is a measure of success,” the IWF’s Hargreaves adds. “We know that people are using it. We know they are making referrals, we know they’re accessing services.”

Pornhub has a checkered reputation for the moderation of videos on its website, and reports have detailed how women and girls had videos of themselves uploaded without their consent. In December 2020, Pornhub removed more than 10 million videos from its website and started requiring people uploading content to verify their identity. Last year, 9,000 pieces of CSAM were removed from Pornhub.

“The IWF chatbot is yet another layer of protection to ensure users are educated that they will not find such illegal material on our platform, and referring them to Stop It Now to help change their behavior,” a spokesperson for Pornhub says, adding it has “zero tolerance” for illegal material and has clear policies around CSAM. Those involved in the chatbot project say Pornhub volunteered to take part, isn’t being paid to do so, and that the system will run on Pornhub’s UK website for the next year before being evaluated by external academics.

John Perrino, a policy analyst at the Stanford Internet Observatory who is not connected to the project, says there has been an increase in recent years to build new tools that use “safety by design” to combat harms online. “It’s an interesting collaboration, in a line of policy and public perception, to help users and point them toward healthy resources and healthy habits,” Perrino says. He adds that he has not seen a tool exactly like this being developed for a pornography website before.

There is already some evidence that this kind of technical intervention can make a difference in diverting people away from potential child sexual abuse material and reduce the number of searches for CSAM online. For instance, as far back as 2013, Google worked with the Lucy Faithfull Foundation to introduce warning messages when people search for terms that could be linked to CSAM. There was a “thirteen-fold reduction” in the number of searches for child sexual abuse material as a result of the warnings, Google said in 2018.

A separate study in 2015 found search engines that put in place blocking measures against terms linked to child sexual abuse saw the number of searches drastically decrease, compared to those that didn’t put measures in place. One set of advertisements designed to direct people looking for CSAM to help lines in Germany saw 240,000 website clicks and more than 20 million impressions over a three-year period. A 2021 study that looked at warning pop-up messages on gambling websites found the nudges had a “limited impact.”

Those involved with the chatbot stress that they don’t see it as the only way to stop people from finding child sexual abuse material online. “The solution is not a magic bullet that is going to stop the demand for child sexual abuse on the internet. It is deployed in a particular environment,” Sexton says. However, if the system is successful, he adds it could then be rolled out to other websites or online services.

“There are other places that they will also be looking, whether it’s on various social media sites, whether it’s on various gaming platforms,” Findlater says. However, if this was to happen, the triggers that cause it to pop up would have to be evaluated and the system rebuilt for the specific website that it is on. The search terms used by Pornhub, for instance, wouldn’t work on a Google search. “We can’t transfer one set of warnings to another context,” Findlater says.

Tag

#google