Deserialized web security roundup: Twitter 2FA backlash, GoDaddy suffers years-long attack campaign, and XSS Hunter adds e2e encryption

Jessica Haworth-Elsayed 24 February 2023 at 13:09 UTC
Updated: 27 February 2023 at 15:32 UTC

Your biweekly summary of AppSec vulnerabilities, emerging hacking methods, and significant cybersecurity developments.

This week, Twitter faced criticism as Elon Musk’s platform announced that SMS-based two-factor authentication (2FA) will now be available only to subscribers.

Previously, the social media platform offered 2FA to all users who linked their mobile numbers to their accounts.

However, users were recently informed through a blog post that this security feature would no longer be accessible to those who do not pay for verification.

This announcement triggered significant backlash from users, particularly those using non-paid accounts.

Nonetheless, it should be noted that users still have the option to utilize 2FA through third-party authentication apps like Google Authenticator.

Stay updated with the latest web security news by subscribing to our newsletter.

In related news, web hosting giant GoDaddy disclosed that it has been the target of a cyber-attack that has persisted for nearly three years.

The company revealed in a statement that an intrusion dated back to December 2022, which was triggered by complaints from a few customers regarding intermittent website redirects.

A filing to the US Securities and Exchange Commission (PDF) disclosed that this incident was related to an attack in March 2020, where an intruder compromised the hosting login credentials of around 28,000 customers and a small number of employees.

GoDaddy believes these incidents, along with a 2021 breach of its hosted WordPress service, are part of a broader campaign orchestrated by a sophisticated threat actor group.

BACKGROUND Truffle Security has relaunched the XSS Hunter tool with enhanced features.

Moreover, the maintainers of the resurfaced tool XSS Hunter announced that end-to-end (e2e) encryption has been added to its fork after receiving feedback from privacy-focused users.

Truffle Security relaunched the open-source utility after it was deprecated by its original creator, Matthew Bryant, and faced criticism for analyzing potentially sensitive data generated by users.

As reported by The Daily Swig, user concerns have been addressed, and e2e encryption is now incorporated after a statement from Truffle Security’s founder.

Additionally, it was recently reported that Belgium has been the first European nation to implement a national framework to protect ethical hackers, along with how Frans Rosén topped PortSwigger’s top 10 web hacking techniques of 2022 with his research titled ‘Account hijacking using dirty dancing in sign-in OAuth-flows’.

Explore further by visiting The Daily Swig‘s homepage for the complete range of our coverage.

Here are additional web security stories and other notable cybersecurity updates from the past fortnight:

Web Vulnerabilities

• FortiNAC / Critical / Unauthenticated Remote Code Execution / Vulnerability in specific versions of Fortinet FortiNAC allows attackers to execute unauthorized code / Patched and disclosed February 16
• Node.js / Medium / CRLF Injection / The fetch API in Node.js is vulnerable to CRLF injection in the host header, which could lead to HTTP response splitting and HTTP header injection attacks / Patched and disclosed February 16
• Node.js / High / Permissions Policies Bypass / Unauthorized modules may be accessible via / Patched and disclosed February 16
• Kardex MLOG / Severity TBD / Remote Code Execution / Server-Side Template Injection leading to Remote Code Execution due to a sanitization flaw on the industrial web interface / Patched January 24, disclosed February 7
• Apache Kerby / LDAP Injection / Vulnerabilities detected in / Patched and disclosed February 20

Research and Attack Techniques

• *PortSwigger’s* Gareth Heyes demonstrated methods to detect server-side prototype pollution without causing denial-of-service at the recent AppSec Dublin conference.
• Researchers at CyberXplore alerted the public on how they successfully hacked GitHub for a month, resulting in the discovery of six vulnerabilities detailed in their post.
• Matt Frisbie, a software engineer, created a malicious Google Chrome extension to illustrate the risks users face if they are not cautious about their installations.

Bug Bounty/Vulnerability Disclosure

• Security researcher Omar Hashem wrote a detailed account of how he achieved full control over a HubSpot account, sharing his challenges along the way. Research often requires trial and error, yet many online write-ups overlook discussing unsuccessful attempts.
• A researcher under the pseudonym ‘infiltrateops’ posted about a sizable payout received from Apple and praised the responsiveness of Apple’s security team.
• Google published a review of findings from its vulnerability reward program in 2022, reporting the resolution of over 2,900 issues in that year alone.

New Open Source Security Tools

• Legitify, a tool for identifying and resolving security issues within GitHub and GitLab projects, added support for misconfiguration scanning based on GPT technology.
• GuardDog, designed to identify malicious Python packages using Semgrep and package metadata analysis, has been enhanced to include npm support, new heuristics, and simplified CI integration.

*PortSwigger is the parent company of The Daily Swig.

PREVIOUS EDITION Deserialized web security roundup: KeePass dismisses vulnerability report, OpenSSL gets patched, and Reddit admits phishing hack