Hey All! Thanks for checking out this week’s HackerKast! We’re all back and recovering from RSA and my feet still hurt.
Starting off with This Week In WordPress Sucks™, we’ve got a vulnerability in WordPress core this time. This is usually not the case as core has been gone over several times with a fine toothed comb, but some persistent XSS in core comment functionality popped up anyway. Also, as per usual, a few hundred plugins were vulnerable to an XSS that was found in two different frequently used functions that were poorly documented. The core issue were patched already but it is up to administrators of WordPress installs to race and get the patch installed.
Next, in silly things that affect the stock market news, Italy’s 2nd largest bank had a hoax email go out pretending to be the CEO resigning. Within moments, the stock takes a huge crash before coming back up after everyone realizes it was a hoax. We’ve seen this before a few times, notably the time Associated Press Twitter account was hacked and tweeted about a bomb at the White House which caused the entire stock market to take a dive for a few minutes. This all points to the fact that there are automated stock trading systems out there making decisions based off of social media and news information.
We had a little chat about the recent problem over at Tesla where their homepage was “defaced”. This wasn’t actually a defacement of any servers on their end but the attackers went after the recently popular low hanging fruit of DNS providers. Once the DNS provider was owned, the homepage was redirected along with any MX records allowing emails to be rerouted to the attackers. With this email rerouting in place, they then sent out some Twitter password reset emails which allowed them to take over the social media accounts. What Robert and I touched on at the end here is that Tesla was lucky that this was all for the lulz because that email rerouting, if done correctly, could’ve been silently MiTMing the company’s emails for some time before anybody noticed. Scary stuff relying on a DNS provider with that level of severity of compromise.
A new status code is being presented in the HTTP standard for the purposes of displaying a legally related block. Instead of just a 404, the browser would now present a 451 which would mean legally restricted due to any number of reasons. Most popularly this would show up for geolocation related blocks of content that tons of Netflix users are very aware of.
Lastly, MS-15-034, came out which was a Microsoft Buffer Overflow vulnerability in IIS servers. Of course Robert couldn’t help himself and wrote a snippet of exploit code. Then in This Week In RSnake Puts Something Dangerous Social Media™ he posted this code to Twitter for people to play with exploit in a remotely exploitable way. We’re toying with a possible demo we could do of this for you all but might take some tinkering to make it interesting.
Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
Notable stories this week that didn’t make the cut: