Security

The AddToAny Share Buttons  WordPress Plugin was, until recently, vulnerable to a DOM-based cross-site scripting issue. The file in question is hosted on the author’s site, so you’re not vulnerable anymore (you’re welcome). If you just want the vulnerability details, go here . Now for the story of this bug.

This particular journey started with an email from XSSposed , a site intended to allow security researchers to responsibly report cross-site scripting issues in sites that don’t run formal bug bounty programs like those seen here . Having never heard of it before, I was immediately suspicious. I like the concept of bug bounties just fine, but I was a little surprised to learn that I had unknowingly opened one on my site.

At the risk of spoiling a somewhat-well-known XSS game, I want to share an XSS vector I had never thought of before it forced me to. The premise of this level was, essentially, that you couldn’t use any letters whatsoever in the attack vector, and you had to call alert(1).

So, without further ado, here it is:

What a mess, right?! What the hell are we doing here? Let’s take it piece-by-piece.

Recently, while looking at a JavaScript function intended to generate a cryptographically-secure random IV to be used in AES-GCM, I noticed something interesting which I immediately suspected was not unique to this project. Sure enough, Matt, my awesome colleague, sent me a link to a how-to article describing the process of generating random values in Node.js that included the exact same quirk.

Here is their example (with minor edits so as not to call out the author of that how-to post too explicitly):

The “snippet preview” functionality of the Yoast Wordpress SEO plugin was susceptible to cross-site scripting in versions before 2.2 (<= 2.1.1). This vulnerability appears to have been reported 2 years ago  by someone named “badconker”, but the plugin author said that it was already patched. Unfortunately, it appears that this is not the case. If you are running this plugin, I recommend updating to the latest version .

I’m happy to announce the latest version of a project that the Security Engineering team at Rackspace has been working on: DefectDojo ! DefectDojo is an open source defect tracking system that was created by our team to keep up with security engagements, but it can be useful for tracking any type of application testing. It supports functionality like Finding templates, PDF report generation, metrics graphs, charts, and some self-service tools for doing port scans, for example.

I noticed a while back that when I carelessly entered my login credentials to the form for registering a new user account on the front page of the DigitalOcean site, it would still log me in. Neato.

However, I was slightly less amused when I noticed that the login event didn’t show an IP address in my security history.

I reported this at the time the screenshot was taken several months ago. It appears they have recently fixed the issue.

Earlier today I wanted to explore using Growl / GNTP to listen for notifications from a remote server. I checked out the Growl developer bindings page, found the Python implementation , and started working on a simple app to send me notifications about various things.

I was planning on running this on my server so I could also interface with Twilio and accept callbacks, without having to expose a webserver on my local machine to the internet. To do this, I was going to accept remote notifications in Growl using a password. I realized pretty quickly this was a worse idea.

I recently paid for something online using what I considered a secure online payments processor, and they asked that I provide a password to create an account to complete the transaction. You will understand in a second (if you don’t already) why I was so angry when, a few seconds later, I got this:

I couldn’t believe it. Please enter a shorter password.

Why does this make me mad? Because it means one of three things:

Checking out Hacker News for a refreshing end to my work day, I was instead greeted with the worst of all tech-related bad news: Heartbleed , an exploit in popular versions of OpenSSL allowing attackers anonymous (read: no way to figure out how widely it’s been exploited up to this point) access to 64kb of memory of an affected client or server .

How bad is it? Tor had this to offer in its blog post on the subject :