Slack fixes account-stealing bug

By Danny Bradbury

Slack has fixed a bug that allowed attackers to hijack user accounts by tampering with their HTTP sessions. The flaw could have allowed attackers to pilfer users’ cookies, giving them full account access. They could also have automated those attacks at scale, said the researcher who discovered it, Evan Custodio.

The bug uses a sneaky trick called HTTP smuggling, which takes advantage of how back-end servers process requests using this protocol. Browsers use HTTP to ask web servers for pages and other resources. Those requests generally go through multiple servers. A front-end proxy server might send it to one of several back-end servers, for example. The front-end server often serves as a clearinghouse for requests from different browsers, meaning that different peoples’ sessions with web applications mingle in the same traffic stream.

The problem lies in the way that HTTP communications announce themselves. This announcement, known as an HTTP header, has to tell the server where the request ends. It does this in one of two ways.

The first uses a Content-Length header that tells the server how many bytes long the request is. The second uses a Transfer-Encoding: chunked header. This tells the server that the content comes in chunks, which end with a zero-sized chunk.

An HTTP request is only supposed to use one of these headers, but HTTP smuggling attacks use both of them to confuse the front-end and back-end servers. The idea is to make each server process the request differently.

Custodio discovered that Slack was susceptible to a variant of the HTTP smuggling attack called CLTE, in which the front-end server uses the Content-Length header while the back-end server uses the Transfer-Encoding one. Each header specifies a different amount of content to process, causing the front-end server to process more content than the back-end one.

Read more at https://nakedsecurity.sophos.com/2020/03/17/slack-fixes-account-stealing-bug/

Tor browser fixes bug that allows JavaScript to run when disabled

By John E Dunn

The Tor browser has fixed a bug that could have allowed JavaScript to execute on websites even when users think they’ve disabled it for maximum anonymity.

The Tor Project revealed the issue in the release notes for version 9.0.6, initially suggesting users manually disable JavaScript for the time being if the issue bothered them.

That was subsequently revised after the NoScript extension – used by Tor to control the execution of JavaScript, Java, Flash and other plugins – was updated to version 11.0.17.

Whether the issue matters depends on how users have configured Tor to treat JavaScript.

Tor’s ‘standard’ setting enabled JavaScript by default, which users can upgrade to either ‘safer’, which disables JavaScript on non-HTTPS sites, or ‘safest’, which disables JavaScript completely.

Each setting has its pros and cons. Leaving JavaScript enabled opens users to the hypothetical risk that their anonymity might be compromised, for example using a vulnerability in the underlying Firefox browser.

Read more at https://nakedsecurity.sophos.com/2020/03/17/tor-browser-fixes-bug-that-allows-javascript-to-run-when-disabled/

WordPress to get automatic updates for plugins and themes

By John E Dunn

If WordPress had a list of the most requested features, the ability to automatically update plugins and themes would surely be near the top.

Some good news: according to a recent development update, the ability to do this is now being beta-tested in the form of a new plugin for WordPress 5.5, due in August.

WordPress itself, the Content Management System Core, has had auto-updating since version 3.7 in 2013, which meant that security updates could be applied automatically.

Given the number of attacks exploiting WordPress vulnerabilities in the years leading up to that change, it was a big moment.

Unfortunately, the same wasn’t true of that other area of WordPress exposure, namely plugins and themes.

Whereas many years ago such add-ons were viewed as optional for most sites, these days many have become essential additions that add important capabilities to WordPress sites.

Vulnerabilities in these now generate a steady stream of stories:

• Plugins affected by Cross site scripting (XSS) flaws
• A plugin with 100,000 users afflicted by a vulnerability that could allow attackers to wipe content.
• Plugins with admin account password bypass flaws

We didn’t cherry-pick these – all of these were from 2020.

Read more at https://nakedsecurity.sophos.com/2020/03/17/wordpress-to-get-automatic-updates-for-plugins-and-themes/

Europol busts up two SIM-swapping hacking rings

By Lisa Vaas

After months-long, cross-border investigations, Europol announced on Friday that it’s arrested more than two dozen people suspected of draining bank accounts by hijacking victims’ phone numbers via SIM-swap fraud.

Following a ramp-up in SIM-jacking over recent months, police across Europe have been gearing up to dismantle criminal networks that organize these attacks, Europol says.

That growth mirrors what’s happening in the US: In October, the FBI warned that bad guys were getting around some types of two-factor authentication (2FA). The easiest – and, therefore, the most common – way to sneak past 2FA is SIM-swap fraud, where an attacker convinces a mobile network (or bribes an employee) to port a target’s mobile number or plants malware on a victim’s phone, thereby allowing them to intercept 2FA security codes sent via SMS text.

How the crooks swing a SIM swap

As we’ve explained, SIM swaps work because phone numbers are actually tied to the phone’s SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network.

Most mobile phone shops out there can issue and activate replacement SIM cards quickly, causing your old SIM to go dead and the new SIM card to take over your phone number… and your telephonic identity.

That comes in handy when you get a new phone or lose your phone: your phone carrier will be happy to sell you a new phone, with a new SIM, that has your old number.

Read more at https://nakedsecurity.sophos.com/2020/03/17/europol-busts-up-two-sim-swapping-hacking-rings/