Flaws deleted zoom keybase app chat code#
“The code logic was using a simple Regular Expression matching,” Jackson ( told The Security Ledger. The problem: private-ip didn’t do its job very well. SSRF is one of the most common forms of attack on web applications according to OWASP.īlack Box Device Research reveals Pitiful State of Internet of Things Security Private-ip was created to help application developers spot and block such attacks. SSRF attacks allow malicious actors to abuse functionality on a server: reading data from internal resources or modifying the code running on the server. Further investigation uncovered a common explanation for those successful attacks: private-ip, an open source security module used by the compromised applications. Specifically, independent security researchers reported being able to bypass protections and carry out Server-Side Request Forgeries against top tier applications.
Report: Cybercriminals target difficult-to-secure ERP systems with new attacksĪccording to an account by researcher John Jackson of Shutterstock, flaws in the private-ip code meant that the filtering allegedly carried out by the code was faulty.
Flaws deleted zoom keybase app chat software#
It is just the latest incident to raise questions about the security of the “software supply chain,” as more and more organizations shift from monolithic to modular software application development built on a foundation of free and open source code. The flaw, CVE-2020-28360, allows malicious attackers to carry out SSRF attacks against a population of applications that may number in the hundreds of thousands or millions globally.
The researchers identified a so-called Server Side Request Forgery (SSRF) vulnerability in commonly used versions of private-ip. A serious security flaw in a commonly used, but overlooked open source security module may be undermining the integrity of hundreds of thousands or even millions of private and public applications, putting untold numbers of organizations and data at risk.Ī team of independent security researchers that includes application security professionals at Shutterstock and Squarespace identified the flaw in private-ip, a npm module first published in 2016 that enables applications to block request forgery attacks by filtering out attempts to access private IP4 addresses and other restricted IP4 address ranges, as defined by ARIN The SSRF Blocker That Didn’t
0 kommentar(er)
