Deserialized web security roundup: Twitter 2FA backlash, GoDaddy suffers years-long attack campaign, and XSS Hunter adds e2e encryption

Jessica Haworth-Elsayed
24 February 2023 at 13:09 UTC
Updated: 27 February 2023 at 15:32 UTC

Your biweekly summary of Application Security vulnerabilities, emerging hacking methods, and important cybersecurity updates.

This week, Twitter has come under fire as Elon Musk’s platform declared that SMS-based two-factor authentication (2FA) will now be exclusive to its paying subscribers.

Historically, Twitter allowed all users to enable 2FA by linking their mobile numbers to their accounts.

However, a recent notification has informed users that this security feature will no longer be accessible unless they subscribe for verification.

This change has triggered significant backlash from users, particularly those not paying for accounts.

Importantly, users still retain the option to utilize 2FA through third-party authentication apps like Google Authenticator.

To receive the latest web security news directly in your inbox, subscribe to our newsletter here.

In other news, web hosting service GoDaddy reported that it has been the target of a cyber-attack as part of a campaign that has persisted for nearly three years.

The company revealed in a public statement that there is evidence of a breach that occurred back in December 2022, with certain customers reporting intermittent website redirections.

In a filing to the US Securities and Exchange Commission (PDF), GoDaddy also indicated that this incident is related to a previous breach in March 2020, where an attacker gained access to the hosting login details of approximately 28,000 customers and some internal personnel.

GoDaddy stated that these breaches, along with a 2021 compromise of its hosted WordPress services, are likely parts of a long-term strategy by a skilled threat actor group.

BACKGROUND Truffle Security revives the XSS Hunter tool with new functionalities

In a closing note, the developers of the resurfaced tool XSS Hunter have announced that optional end-to-end (e2e) encryption will be included in its updated version following feedback from privacy-focused users.

Following its initial withdrawal by its original developer, Truffle Security has reintroduced a version of the open-source utility. There had been concerns over potential access to sensitive information generated by users who shared anonymized data regarding discovered vulnerabilities.

As reported by The Daily Swig, users have since been assured that e2e encryption is now integrated into the tool following a statement made by Truffle Security’s founder.

Moreover, we reported that Belgium has become the first European nation to launch a comprehensive safe harbor framework for ethical hackers, and that Frans Rosén topped PortSwigger’s top 10 web hacking techniques of 2022 with his research on ‘Account hijacking using dirty dancing in sign-in OAuth flows’.

For further updates, visit The Daily Swig’s homepage.

Here are additional web security stories and other cybersecurity developments that we found noteworthy over the past two weeks:

Web vulnerabilities

• FortiNAC / Critical / Unauthenticated RCE / A vulnerability in certain Fortinet FortiNAC versions allows attackers to execute unauthorized code. / Patched and disclosed February 16
• Node.js / Medium / CRLF injection / The fetch API in Node.js failed to prevent CRLF injection in the host header, potentially enabling risks such as HTTP response splitting and header injection. / Patched and disclosed February 16
• Node.js / High / Permissions policy bypass / Non-privileged modules potentially accessible via unauthorized means. / Patched and disclosed February 16
• Kardex MLOG / Severity TBC / RCE / Server-side template injection leading to RCE due to a sanitization flaw on the industrial web interface. / Patched January 24, disclosed February 7
• Apache Kerby / LDAP injection / A vulnerability exists in the code affecting its functioning. / Patched and disclosed February 20

Research and attack techniques

• PortSwigger’s Gareth Heyes showcased how to detect server-side prototype pollution at the AppSec Dublin conference recently.
• Researchers from CyberXplore revealed their experience of hacking GitHub for a month, detailing the identification of six vulnerabilities outlined in their blog post.
• Software engineer Matt Frisbie created a malicious Google Chrome extension to demonstrate the risks users could face when installing unverified extensions.

Bug bounty/vulnerability disclosure

• A detailed write-up by security researcher Omar Hashem, who successfully took over a HubSpot account, explains the trials and tribulations of exploitation. Research often entails learning through mistakes, yet few write-ups openly discuss unsuccessful attempts.
• A researcher going by ‘infiltrateops’ elaborated on how they received a substantial payout from Apple and commended the response from Apple’s security team.
• Google published a review of bugs identified through its vulnerability reward initiative in 2022, revealing it resolved over 2,900 issues that year.

New open source security tools

• Legitify, a tool for identifying and fixing security concerns in GitHub and GitLab assets, has integrated support for GPT-based misconfiguration scans.
• GuardDog, a tool for detecting harmful Python packages using Semgrep and package metadata examination, has received updates adding npm support, new heuristics, and improved CI integration.

*PortSwigger is the parent company of The Daily Swig.

PREVIOUS EDITION Deserialized web security roundup: KeePass refutes vulnerability report, OpenSSL gets patched, and Reddit acknowledges phishing incident