Epic web security fails and salutary lessons from another inevitably eventful year in infosec

As 2022 draws to a close, The Daily Swig is revisiting some of the year’s most notable web security wins and egregious infosec fails.

Tomorrow we’ll publish some examples of the year’s cybersecurity successes, but today we’re kicking off with some amusing vulnerabilities, security disasters, and ‘must do better’ scorecards.

Reddit NSFW bypass

Reddit’s ‘Not safe for work’ restrictions could have been subverted via a cross-site request forgery (CSRF) vulnerability addressed by the social media platform in February.

The security bug enabled attackers to trick users into enabling the ‘I am over eighteen years old’ option and express a willingness to view adult content.

This medium severity issue earned the security researcher who found the flaw a $500 bug bounty.

QWACkers proposal

Mozilla, The Electronic Frontier Foundation, and dozens of computer science experts this year pleaded with EU lawmakers to abandon plans to force web browsers to recognize the validity of contentious web certificates created by the bloc.

A proposed amendment to the eIDAS – or electronic Identification, Authentication, and Trust Services – regulation would oblige browsers to accept Qualified Website Authentication Certificates (QWACs).

RECOMMENDED Finding the next Log4j – OpenSSF’s Brian Behlendorf on pivoting to a ‘risk-centred view’ of open source development

The EU created QWACs in 2014 to validate a website’s professed identity and therefore, supposedly, protect users from fraud, malware, and surveillance. Mozilla argues that QWACs are inferior to, and would circumvent, the more effective and longstanding web authentication ecosystem already in place.

Some 38 security experts signed an open letter criticizing the plans that was addressed to the European Parliament in March.

Cyber fraud executive turned cyber fraudster

A US entrepreneur who pocketed millions of dollars after falsifying bank statements to generate investment for his cyber fraud prevention firm was sentenced to five years for securities fraud in November.

In a classic case of nefarious activities belying the noble or socially important role they are ostensibly playing (‘effective altruist’ Sam Bankman-Fried is accused of similar), Adam Rogas was convicted in relation to using fraudulent financial data to secure more than $123 million in financing for NS8, the company he co-founded.

This figure includes around $17.5 million that he apparently “personally obtained”, as The Daily Swig reported in March.

US attorney Damian Williams said: “Adam Rogas took the ‘fake-it-till-you-make-it’ saying to a criminal extreme. While claiming to be in the fraud prevention business, Rogas himself faked nearly all of his company’s customers, revenue, and assets.”

Patching process needs remediation

There have been some improvements when it comes to developing and applying patches but there remain causes for concern.

Not least the bug of 2021 – and perhaps the century – ‘Log4Shell’ did not provoke a universal rush to patch, with a third of Log4j downloads still pulling vulnerable versions nearly a year after its emergence.

Other causes for concern on this front include Apache Software Foundation (ASF) expressing alarm at the numbers of organizations running end-of-life versions of Apache software, while a North Carolina State University study warned of unacceptable delays to open source patches being rolled out.

AI still no substitute for human bug hunters

ChatGPT represents a great leap forward for AI, but proved no surrogate for homo erectus when it comes to finding and disclosing software security vulnerabilities.

The game-changing large language model (LLM) from OpenAI has already being used to write ransomware and craft phishing campaigns and offers potential utility for defenders too.

However, it’s shortcomings as a bug bounty hunter were exposed this month when a OUSD stablecoin maintainer suspected his interlocutor was a chatbot.

Daniel Von Fange reported “inconstancy between emails – each email seemed to pretend we were discussing a different bug, and each was a bug based on nonsensical premises, and each set of code sent along to prove the issues was valueless”.

The ‘researcher’ who submitted the flaw ultimately admitted ChatGPT had detailed the bug’s impact, exploitability, and possible remedies, but still had the audacity to ask for a bounty.

Von Fange told The Daily Swig that “current LLMs are good at finding plausible reasons why code might have a vulnerability”, but a bigger breakthrough would come when AI can automatically write and run code to verify exploitability.

LastPass existential crisis

Another year, another drip-drip of data breaches great and small, and few – if any – have sparked as much alarm as the recent compromise at password management platform LastPass.

Infosec Twitter’s horror centers on the potential impact – 33 million customers entrust their passwords to the password management market leader – and the fact the breach appeared to become more severe with every fresh update from the beleaguered company.

LastPass first revealed its servers had been hacked in August, but said it had found “no evidence” that attackers had accessed “customer data or encrypted password vaults”.

However, this changed over the festive period when LastPass admitted that hackers had stolen an employee’s cloud storage keys and pilfered customers’ encrypted password vaults.

The company nevertheless now says that, so long as customers use the recommended default settings, “it would take millions of years to guess your master password using generally-available password-cracking technology”.

RELATED Password theft bug chain patched in Passwordstate credential manager