Industry Observations-Vulnerabilities-Web Application Security-WhiteHat HackerKast

#HackerKast 24: Uber driver data hacked, Hilary Clinton’s personal email, Relative Path Overwrite

Hey Everybody! Thanks for checking out this week’s HackerKast. Lets get started!

Started off this week talking about Uber’s data breach that happened recently. For those who haven’t heard about it, it seems 50,000 of their drivers personal information was accessed illegally. Info such as their names, drivers license info, plate numbers, etc. The culprit here was a familiar one to us which is private database keys ending up on a public github repository. GitHub and Amazon actively scan GitHub repos for private keys to notify their users they might want to take them down. Shows that apparently this is happening enough for it to be a big enough problem for these guys to be monitoring for.

Next, we did some shameless self promotion on a cool thing Robert whipped up. A huge problem lately, has been registrars and DNS providers being hacked in order to redirect domains to malicious servers. In order to stay on top of this Robert wrote a tool to monitor your DNS so that if your record ever changes you’ll get an alert and can minimize the problem. Feel free to download the little script and mess around with it!

Hillary Clinton made security news this week due to some email issues that came to light after a few years. Turns out she was utilizing a personal email address instead of a state department email address during her time there. Tons of speculation on why she did this and if it was a good idea or not but it certainly seems out of the norm. The fact that this email server’s login page is public facing and being talked about is probably a bad thing since anybody can try to login.

In top level domain news, all sites on the .tp TLD are being phased out and switched over the .tl space. Now that TLDs are open to registration, if somebody goes back and registers .tp domains they’ll start getting a lot of unintended inbound traffic. This is the first time any of us have heard of a TLD switching. Robert points out if somebody registers the implications will be pretty nasty.

We gave a quick shout out to a bunch of our favorite conferences coming up that a few of us are getting involved in. Jer and I are both speaking at RSA and the AppSecUSA CFP is open. We always love AppSecUSA as one of our favorite conferences of the year.

Lastly, Robert covered some really cool new research called a Relative Path Overwrite. This comes to us from Gareth Hayes who is always coming out with great stuff and this is no exception. The attack has to do with the way paths are coded into websites with some popular shorthand in relative paths. Simply leaving off a slash at the end of a path or using some ../../ notation will make you vulnerable to this attack in certain browsers. Be sure to check out this research for some juicy new web app fun.

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here

Join the conversation over on Twitter at #HackerKast

or write us directly @jeremiahg, @rsnake, @mattjay


Notable stories this week that didn’t make the cut:

Alleged Anonymous hacker, deported to U.S. after Canada refused to grant asylum

Apple Pay Scam

PayPal Drops Mega Due to End-To-End Encryption