Friday 28th of April edition

News

Massive xploitation of wordpress php eval plugin

Sucuri, a GoDaddy-owned company, detected a massive exploitation of phpeval, an 11 year old wordpress plugin. Vulnerable worpress plugins and exploitation of eval functionality hardly come with suprise. What is interesting though is the rapid increase in download numbers for the plugin since March. The vulnerable plugin is used to install a backdoor on infected websites to achieve persistence. According to Sucuri, three IP addresses from Russia are involved with the hacking.

Massive Abuse of Abandoned Eval PHP WordPress Plugin

Hackers Exploit Outdated WordPress Plugin to Backdoor Thousands of WordPress Sites

Google adds 2FA sync

Google has added a much-anticipated feature that allows users to sync their 2FA codes in google authenticator among iOS and Android devices. Sounds amazing, right? It would be if encrypting 2FA codes with a secret passphrase was possible in order to guarantee confidentiality. Currently, the codes are protected by HTTPS during transmission only, which means that Google has access to your codes as well. Worth mentioning is that users demanding a higher level of security than the average person would probably be better without this new feature anyhow, since your google account becomes a single point of failure.

Google leaking 2FA secrets – researchers advise against

Apache Superset suffers RCE

Apache superset is a popular data vizualization tool with over 50K stars on Github. In its default configuration the secret key used to encrypt user sessions on the server is fixed to a specific value, which in turn allows attackers to access administrative interfaces and data. Even though installation instructions inform users to change the key to a random value, around two thirds of all superset installations are found vulnerable. Being secure by default is indeed important.

CVE-2023-27524: Insecure Default Configuration in Apache Superset

Thousands of Apache Superset servers exposed to RCE attacks


Also this week

Nahamsec completed a series of interviews about hacking popular cloud platforms. You find the videos on his youtube channel.

List of OWASP trainings available in June.