Vulnerabilities-Web Application Security-WhiteHat HackerKast

#HackerKast 17: UK Bans WhatsApp and iMessage, Instagram Privacy Issues, Cross Site Content Hijacking (XSCH), Amazon S3 Bitcoin Hack

Howdy Partners! Hope you all are in full swing in the new year and taking names. I know for a fact that a ton of you are busy since every hotel in Santa Clara, Calif., was sold out this month just as Robert and I were trying to visit the mothership.

Anywho… we started this week’s HackerKast chatting about how our blog post of the North Korean Web Browser got so much traffic that it DoS’d us. The ol’ Reddit hug of death got us and our poor IT department was thrilled with us.

The first news story we covered was the brilliant discussion going on across the pond in the UK about banning a ton of encrypted messaging services, including WhatsApp and iMessage. We all feel this is a silly reactionary measure to try to thwart terrorist communications but will have repercussions that will be wide-reaching. Knowing our audience, I’m probably preaching to the choir, but there are plenty of legitimate reasons for strong encryption protected messaging services. I think another side of my feelings were best summed up by a tweet:

Next, we brought up some Instagram news about a privacy problem they had over there. Turns out that if you ever had your Instagram profile set to public, no matter what your current privacy settings, your photos are accessible via direct URL. This is a thinly veiled illusion of privacy and further proves that if you don’t want a photo seen, you shouldn’t put it on the Internet at all.

Robert followed this up by mentioning briefly some new attack research that was published recently that was dubbed Cross Site Content Hijacking. We need another acronym like we need a hole in the head but this research could prove to be very interesting. The thing that perked our ears up about this type of vuln was that it might be possible to read arbitrary HTTP Headers across domain. This includes referring URLs which are widely used as a CSRF protection in many web applications including the Django framework. We haven’t dug deeply into this one but wanted to bring it up as a potentially interesting bit of research for you folks to chew on.

Some news about an Amazon S3 hack bubbled to the top this week which we’ve heard about before but is still super fun to talk about and – more importantly – to learn to protect yourself from. We all know our private keys are an important thing to keep private but with the ever-growing popularity of programmatically spinning up and down virtual instances in Amazon it is becoming easy to forget those private keys in your code. If you are using these keys in development and you accidentally leave them in your code when you push it up to a GitHub repo, those keys are now public. GitHub and Amazon do a good job of trolling the Internet keeping an eye out for this happening but it still happens, even to the best of us. A popular (mis)use case of this kind of hack is using your private key to spin up instances that start mining bitcoins for the attacker. This usually doesn’t get caught until the victim gets the big bill in the mail for the CPU time.

“Kid hacks into school’s website to shame them for making them go to school when the roads were covered in snow” has to be our favorite headline of the week. We’d love to include the screenshots from this website defacement but they are pretty NSFW. The kids hacking school stories are always a lot of fun because I think it resonates with a lot of us who have memories of being bored in school and playing with computers just wondering if you could switch your grades. Not that any of us did such a thing.

Notable stories this week that didn’t make the cut:

Iran oders 3 communication apps blocked (LINE, WhatsApp and Tango)

AT&T is going to start supporting webrtc

Silk Road Reloaded moving to I2p instead of Tor

Obama proposal: Hacked companies have 30 days to fess up

References:

WhatsApp and iMessage could be banned under new surveillance plans

Iran orders 3 communication apps blocked

Your private Instagrams weren’t as private as you thought they were

Content hijacking proof-of-concept using Flash, PDF and Silverlight

Dev put AWS keys on Github. Then BAD THINGS happened

Angry Student Hacks County’s Website to Apologize for Snow Day

Tags: application security, Vulnerabilities