Deserialized web security roundup: Twitter 2FA backlash, GoDaddy suffers years-long attack campaign, and XSS Hunter adds e2e encryption

Jessica Haworth-Elsayed 24 February 2023 at 13:09 UTC
Updated: 27 February 2023 at 15:32 UTC

In this bi-weekly summary, we delve into recent vulnerabilities in application security, innovative hacking methodologies, and significant updates from the cybersecurity landscape.

Recently, Twitter encountered backlash as its CEO Elon Musk declared that SMS-based two-factor authentication (2FA) will now be exclusive to paying subscribers. Historically, 2FA was accessible to all users who linked their mobile numbers to their accounts.

This announcement prompted substantial online criticism, especially among users who do not subscribe to the paid service. Nevertheless, it’s crucial to mention that 2FA can still be utilized through third-party authentication applications like Google Authenticator.

Meanwhile, web hosting giant GoDaddy disclosed that it has been a target of a cyber-attack, which is part of a prolonged assault spanning nearly three years. The attack was first noted in December 2022 when some customers reported sporadic website redirection issues.

In a formal communication to the US Securities and Exchange Commission, it was revealed that this incident was tied to a previous security breach in March 2020, where the hosting credentials of roughly 28,000 customers were compromised.

GoDaddy suspects these breaches, along with a 2021 compromise involving its WordPress hosting service, form a part of an extensive campaign orchestrated by an advanced threat actor group.

On a related front, the resurrected tool XSS Hunter, developed by Truffle Security, has announced the introduction of optional end-to-end (e2e) encryption following criticisms from users concerned about privacy. The tool was relaunched after its original creator discontinued it, and now includes features to enhance user data protection.

Additionally, Belgium has become the first European nation to implement a national safe harbor framework for ethical hackers, reflecting a progressive step towards enhancing cybersecurity standards.

To stay updated with the latest in web security, you can subscribe to our newsletter through the link provided.

For an extensive overview of recent web vulnerabilities, research techniques, and open source security tools, visit our [Daily Swig](https://portswigger.net/) homepage.

Here are more noteworthy cybersecurity updates that surfaced in the past two weeks:

Web Vulnerabilities

• FortiNAC / Critical / Unauthenticated RCE – A vulnerability in certain versions of Fortinet FortiNAC that could allow unauthorized code execution. Details can be found in the February 16 advisory.
• Node.js / Medium / CRLF injection – Issues in the fetch API that could permit attacks like HTTP response splitting. Refer to the February 16 announcement for more.
• Kardex MLOG / TBD / RCE – Vulnerability leading to remote code execution diagnosed on January 24; details available in the February 7 disclosure.
• Many more vulnerabilities across various platforms have been identified and addressed recently, further emphasizing the need for ongoing vigilance in cybersecurity.

Research and Attack Techniques

• PortSwigger’s Gareth Heyes showcased methods for detecting server-side prototype pollution at the recent AppSec Dublin
• CyberXplore’s recent research detailed their month-long access to GitHub and their discovery of multiple vulnerabilities.
• Security engineer Matt Frisbie developed a malicious Google Chrome extension to showcase potential data exposure risks associated with careless installations.

Bug Bounty and Vulnerability Disclosure

• Omar Hashem detailed his journey through a HubSpot account takeover in a recent write-up, which is invaluable for understanding trial and error in research.
• The researcher known as ‘infiltrateops’ shared insights on successful exploits against Apple, noting the positive reception from their security team.
• Google’s analysis of its vulnerability reward program reveals over 2,900 bugs were resolved in 2022.

Open Source Security Tools

• Legitify now offers support for GPT-based scanning to detect and address security misconfigurations across GitHub and GitLab projects.
• GuardDog, aimed at pinpointing malicious Python packages, was recently updated for improved npm support and easier integration.

*PortSwigger oversees The Daily Swig.

PREVIOUS EDITION Deserialized web security roundup: KeePass dismisses ‘vulnerability’ report, OpenSSL gets patched, and Reddit admits phishing hack