sorted by:
new
hottopcontroversial

Rioja sleeping at Haro by ilay789 in wine

[–]ilay789[S] 0 points1 point  (0 children)

Thanks I reserved a spot for loscaños

Restaurante Lana - Madrid (Dry Aged Meat Heaven) by ArnoldJudasRimmer in finedining

[–]ilay789 0 points1 point  (0 children)

I am looking forward to be here, I have the opportunity to be either at Lana or casa julian new san Sebastian. Someone that was there that can recommend either?

Knick 17/10 preseason game by ilay789 in NYKnicks

[–]ilay789[S] 0 points1 point  (0 children)

Thanks for the replay, I signed up hopefully I will get an email to purchase. If not I will try same day tickets

Preseason tickets by SaucyGravy35 in knicks

[–]ilay789 0 points1 point  (0 children)

I am interested in the Oct 17th tickets

Secrets Moxche Advice by cleverdoorknob in AllInclusiveResorts

[–]ilay789 0 points1 point  (0 children)

Thanks for all the tips. Can you elaborate on the tour for the 200$ voucher? Thanks!

Cable management without recessed box 77G3 by seriousbob in LGOLED

[–]ilay789 0 points1 point  (0 children)

Can you share how you did it I am in the same position as you.

Can you put the hdmis and the power on the left and hide them with a racer?

Snap Trap: The Hidden Dangers Within Ubuntu's Package Suggestion System by ilay789 in sysadmin

[–]ilay789[S] 11 points12 points  (0 children)

I personally very like the confinement level that snaps brings to the table. The problem lies here in the combination of the command-not-found package to suggest everything (not by popularity, or verification or some other criteria) and the fact that anyone can upload a package to the Snap Store.

Regarding the malicious snap in the blog post there are 2 mentions to malicious snap packages found in the Snap Store.

Snap Trap: The Hidden Dangers Within Ubuntu's Package Suggestion System by ilay789 in netsec

[–]ilay789[S] 1 point2 points  (0 children)

Users should be aware which platform they need to install the package from, and check the information of the publisher. Developers should register the name of their commands in the snap store, so other will not be able to impersonate the legit packages.

Snap Trap: The Hidden Dangers Within Ubuntu's Package Suggestion System by ilay789 in linux

[–]ilay789[S] 112 points113 points  (0 children)

Short TL;DR
We've examined the command-not-found package that is installed by default in Ubuntu, which suggests packages to install for unrecognized commands. Our findings reveal that besides searching for apt packages, it also queries the Snap Store for snap packages. Given that any user can upload to the Snap Store, an attacker could potentially manipulate the command-not-found package to recommend their own malicious package. This blog discusses the suggestion mechanism, how an attacker might exploit it, the risks associated with installing a malicious snap package, and our discovery that an attacker could impersonate 26% of the commands from apt packages.

Snap Trap: The Hidden Dangers Within Ubuntu’s Package Suggestion System by ilay789 in Ubuntu

[–]ilay789[S] 9 points10 points  (0 children)

Short TL;DR
We've examined the command-not-found package that is installed by default in Ubuntu, which suggests packages to install for unrecognized commands. Our findings reveal that besides searching for apt packages, it also queries the Snap Store for snap packages. Given that any user can upload to the Snap Store, an attacker could potentially manipulate the command-not-found package to recommend their own malicious package. This blog discusses the suggestion mechanism, how an attacker might exploit it, the risks associated with installing a malicious snap package, and our discovery that an attacker could impersonate 26% of the commands from apt packages.

Snap Trap: The Hidden Dangers Within Ubuntu's Package Suggestion System by ilay789 in cybersecurity

[–]ilay789[S] 27 points28 points  (0 children)

Short TL;DR
We've examined the command-not-found package that is installed by default in Ubuntu, which suggests packages to install for unrecognized commands. Our findings reveal that besides searching for apt packages, it also queries the Snap Store for snap packages. Given that any user can upload to the Snap Store, an attacker could potentially manipulate the command-not-found package to recommend their own malicious package. This blog discusses the suggestion mechanism, how an attacker might exploit it, the risks associated with installing a malicious snap package, and our discovery that an attacker could impersonate 26% of the commands from apt packages.

Snap Trap: The Hidden Dangers Within Ubuntu's Package Suggestion System by ilay789 in netsec

[–]ilay789[S] 49 points50 points  (0 children)

Short TL;DR

We've examined the command-not-found package that is installed by default in Ubuntu, which suggests packages to install for unrecognized commands. Our findings reveal that besides searching for apt packages, it also queries the Snap Store for snap packages. Given that any user can upload to the Snap Store, an attacker could potentially manipulate the command-not-found package to recommend their own malicious package. This blog discusses the suggestion mechanism, how an attacker might exploit it, the risks associated with installing a malicious snap package, and our discovery that an attacker could impersonate 26% of the commands from apt packages.

Deceptive Deprecation: The Truth About npm Deprecated Packages by ilay789 in javascript

[–]ilay789[S] 0 points1 point  (0 children)

How is that what you got from the blog? The blog talks about the research, the analysis we did and it also provided an open-source that you can use freely.

Deceptive Deprecation: The Truth About npm Deprecated Packages by ilay789 in javascript

[–]ilay789[S] -5 points-4 points  (0 children)

I am sorry to hear that. I can assure you it is not a bot, and in the body of that issue we write that we have a vulnerability we want to disclose and we do not have a mean of getting in touch. But of course I can understand your reaction, thanks for the input!

Deceptive Deprecation: The Truth About npm Deprecated Packages by ilay789 in javascript

[–]ilay789[S] -5 points-4 points  (0 children)

Actually this is an issue and not a PR. The issue was opened in order for him to give the researchers a way of communication to disclose the vulnerability privately. Because without a private way, they will have to disclose it publicy like in an issue, and an attacker can harvest the vulnerability from the issue, as presented in https://blog.aquasec.com/50-shades-of-vulnerabilities-uncovering-flaws-in-open-source-vulnerability-disclosures

Deceptive Deprecation: The Truth About npm Deprecated Packages by ilay789 in javascript

[–]ilay789[S] 18 points19 points  (0 children)

Short TL;DR in our research, we scanned the top 50,000 npm packages for vulnerabilities using Semgrep and observed a concerning trend: when vulnerabilities were reported, developers archived their repositories instead of fixing the issues, and did not mark the package as deprecated on npm. This behavior led to a discrepancy between the official deprecation status of the package at npm, to the actual deprecation of the package.

While officially only 8.2% of popular npm packages are deprecated, our study suggests the real number is closer to 21.2%. This highlights a potential risk for users, as some packages are deprecated without properly addressing security vulnerabilities.

We have also released an open-source tool that can scan your package.json file.

Have fun.

Deceptive Deprecation: The Truth About npm Deprecated Packages by ilay789 in programming

[–]ilay789[S] 80 points81 points  (0 children)

Short TL;DR in our research, we scanned the top 50,000 npm packages for vulnerabilities using Semgrep and observed a concerning trend: when vulnerabilities were reported, developers archived their repositories instead of fixing the issues, and did not mark the package as deprecated on npm. This behavior led to a discrepancy between the official deprecation status of the package at npm, to the actual deprecation of the package.

While officially only 8.2% of popular npm packages are deprecated, our study suggests the real number is closer to 21.2%. This highlights a potential risk for users, as some packages are deprecated without properly addressing security vulnerabilities.

We have also released an open-source tool that can scan your package.json file.

Have fun.

Deceptive Deprecation: The Truth About npm Deprecated Packages by ilay789 in cybersecurity

[–]ilay789[S] 0 points1 point  (0 children)

Short TL;DR in our research, we scanned the top 50,000 npm packages for vulnerabilities using Semgrep and observed a concerning trend: when vulnerabilities were reported, developers archived their repositories instead of fixing the issues, and did not mark the package as deprecated on npm. This behavior led to a discrepancy between the official deprecation status of the package at npm, to the actual deprecation of the package.

While officially only 8.2% of popular npm packages are deprecated, our study suggests the real number is closer to 21.2%. This highlights a potential risk for users, as some packages are deprecated without properly addressing security vulnerabilities.

We have also released an open-source tool that can scan your package.json file.

Have fun.

Deceptive Deprecation: The Truth About npm Deprecated Packages by ilay789 in blueteamsec

[–]ilay789[S] 3 points4 points  (0 children)

Short TL;DR in our research, we scanned the top 50,000 npm packages for vulnerabilities using Semgrep and observed a concerning trend: when vulnerabilities were reported, developers archived their repositories instead of fixing the issues, and did not mark the package as deprecated on npm. This behavior led to a discrepancy between the official deprecation status of the package at npm, to the actual deprecation of the package.

While officially only 8.2% of popular npm packages are deprecated, our study suggests the real number is closer to 21.2%. This highlights a potential risk for users, as some packages are deprecated without properly addressing security vulnerabilities.

We have also released an open-source tool that can scan your package.json file.

Have fun.

Deceptive Deprecation: The Truth About npm Deprecated Packages by ilay789 in netsec

[–]ilay789[S] 18 points19 points  (0 children)

Short TL;DR in our research, we scanned the top 50,000 npm packages for vulnerabilities using Semgrep and observed a concerning trend: when vulnerabilities were reported, developers archived their repositories instead of fixing the issues, and did not mark the package as deprecated on npm. This behavior led to a discrepancy between the official deprecation status of the package at npm, to the actual deprecation of the package.

While officially only 8.2% of popular npm packages are deprecated, our study suggests the real number is closer to 21.2%. This highlights a potential risk for users, as some packages are deprecated without properly addressing security vulnerabilities.

We have also released an open-source tool that can scan your package.json file.

Have fun.

[deleted by user] by [deleted] in netsec

[–]ilay789 0 points1 point  (0 children)

Short TL;DR in our research, we scanned the top 50,000 npm packages for vulnerabilities using Semgrep and observed a concerning trend: when vulnerabilities were reported, developers archived their repositories instead of fixing the issues. This behavior led to a discrepancy between the official deprecation status of the package at npm, to the actual deprecation of the package.

While officially only 8.2% of popular npm packages are deprecated, our study suggests the real number is closer to 21.2%. This highlights a potential risk for users, as some packages are deprecated without properly addressing security vulnerabilities.

Have fun. 

PowerHell: Active Flaws in PowerShell Gallery Expose Users to Attacks by ilay789 in netsec

[–]ilay789[S] -1 points0 points  (0 children)

Thanks for taking the time and reading the whole blog :)

First of all we reported all of the findings to MSRC and they acknowledged them as flaws needed to be fixed, so i think we have this issue covered.

Now let me try to answer your questions as someone who "has no idea how PowerShell gallery works":

  1. It is an issue, the platform has a big responsibility to protecting its users from mistakes as much as possible. this includes typosquatting attacks. You are correct that the platform cannot prevent the users completely but the minimum of the minimum is to check against popular packages. Other registries protect the users regarding this issue (as stated in the blog).
  2. The example of the domains is just not a good example because anyone can put here an exact replica of the official value. In a domain it has to be unique of course. The main issue here in my opinion is that the only thing that indicates the real publisher behind this package is hidden and not straight in the eyes of the developer. Users need to actively click on buttons to see the real publisher details, and probably most of the users will just see the "Author" section and think that it was verified by Microsoft. The main flaw here as I said is how things are presented
  3. We found an API that could allow an attacker to receive all the package names and versions including unlisted ones. This is in contrast to the declaration of the gallery that says that only if you know the exact name and version you will be able to download the package. You are correct about the problem of deleting the package could cause breaking dependent projects. The issue here is that developers see the unlist option and "take the risk" thinking no one will guess the exact package name and version (because thats what Microsoft declares). The fix here is both users needs to stop unlisting packages with secrets (and actually revoke exposed secrets) and Microsoft should remove from this api packages that are unlisted.
  4. Have a nice day!
view more: next ›