-
GitBleed – Finding Secrets in Mirrored Git Repositories – CVE-2022-24975
Summary Due to a discrepancy in Git behavior, partial parts of a source code repository are visible when making copies via the “git clone” command. There are additional parts of the repository that only become visible when using the “–mirror” option. This can lead to secrets being exposed via git repositories when not removed properly,…
-
Insecure Bootstrap Process in Oracle Cloud CLI
Summary The bootstrap process for Oracle Cloud CLI using the “curl | bash” pattern was insecure since there was no way to verify authenticity of the downloaded binaries. The vendor is now publishing checksums that can be used to verify the downloaded binaries. Vulnerability Details As part of our ongoing research into supply chain attacks,…
-
Three Reasons Why Log4J Is So Bad: Ubiquity, Severity and Exploitability
Over the last few weeks, security teams everywhere have been busy patching Log4J vulnerabilities. In this article we want to talk about the three things you can tell your friends why this is way worse. Ubiquity This vulnerability impacts impacts Java applications and those can be found almost anywhere: enterprise, vendor applications, database drivers, Android…
-
WhatsApp for Android Retains Deleted Contacts Locally
Summary WhatApp for Android retains contact info locally after contacts get deleted. This would allow an attacker with physical access to the device to check if the WhatsApp user had interactions with specific contacts, even though they have been deleted. Vulnerability Details When a contact is deleted on WhatsApp, their information about security code changes…
-
Open Redirect Vulnerability in Substack
Summary Substack had a open redirect vulnerability in their login flow which would have allowed an attacker to facilitate phishing attacks. The vendor has deployed a fix for this issue. Vulnerability Details Substack is an online platform that allows users to create and operate free and paid subscription newsletters. This platform had an open redirect…
-
Speaking @Appsec_Village @DEFCON 29
Our talk titled “The Poisoned Diary: Supply Chain Attacks on Install Scripts” was accepted at this year’s @Appsec_Village @DEFCON 29. UPDATE: It will take place on Sunday, August 8th, at 9:05 AM PST / 12:05 PM EDT. Details can be found here – Q&A will take place on DEFCON’s Discord server. Slides (PDF) Video recording…
-
Firebase CLI Installer Making Calls to Google Analytics
Firebase is a mobile and web application development platform provided by Google. One of the tools available for the platform is the Firebase CLI tool (GitHub repo) which helps developers interact with the platform from command line. An automatic install script is offered among other options, which allows installation of the CLI tool via the…
-
New Tools for Addressing Supply Chain Attacks
In the recent codecov.io security incident, an attacker modified a shell script used by a common software development tool for code coverage. This modification did not take place at the original source code repository where it would have been visible to others, but after the code was packaged and placed on the web server from…
-
What To Know About Endpoint Monitoring in 2025
Today’s workforce is more distributed than ever. Globally, 16% of companies are fully remote, while 40% have a hybrid arrangement. As workforces become increasingly distributed, security leaders face many challenges. They must monitor potential malicious activity across a wide array of devices scattered throughout the entire network. With the rise of endpoint monitoring tools, it…
-
20 Causes of Data Loss Threatening Businesses in 2025
Data is not just a strategic asset. It’s the lifeblood of your organization. Losing access to any strategic asset can threaten an organization’s viability; without plants and equipment, manufacturers would find it difficult to succeed, and service providers can’t operate without brand recognition. Similarly, without data, your organization could be left in a state of…