Application Security Weekly for May 20

Pretty big encryption news this week.  A well known flaw in HTML emails that are encrypted with S/MIME or PGP was "discovered" by some researches, and given the full name, website, and logo treatment.  Even the EFF chimed in and astonishingly suggested people uninstall their encryption tools. The risk was largely overblown; take a look at the #efail tag on Twitter.  Here are a few links that give part of the story.

https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smime-bugs-can-reveal-encrypted-e-mails-uninstall-now/

https://efail.de/

https://www.eff.org/deeplinks/2018/05/not-so-pretty-what-you-need-know-about-e-fail-and-pgp-flaw-0

 

Have you updated your Electron app?  Hope so - there was a pretty bad code-injection flaw.

https://www.theregister.co.uk/2018/05/14/electron_xss_vulnerability_cve_2018_1000136/

 

Pro tip: Don't hardcode passwords into your devices.  Full stop.

https://www.bleepingcomputer.com/news/security/hardcoded-password-found-in-cisco-enterprise-software-again/

 

A bug in cell phone tracking firm's website leaked millions of Americans' real-time locations

https://www.zdnet.com/article/cell-phone-tracking-firm-exposed-millions-of-americans-real-time-locations/

 

And that's the news.

S

Add comment

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList