2018-06-13
[1] https://haveibeenpwned.com/PwnedWebsites.
[2] https://krebsonsecurity.com/2017/09/breach-at-equifax-
may-impact-143m-americans/.
Python-basierte Webanwendung
Framework öffnet in debug-deployments bei Fehlern eine interaktive
python-shell im Browser
Dev-Umgebung ungeschützt im Internet
Exception in Dev Umgebung ⇒ Python-Konsole ⇒ Shell-Zugriff ⇒
Datenbankdumps, etc.
Dev-Server hatte offenbar Zugang/Verbindungen zu
Produktivdatenbank
[1] https://en.wikipedia.org/w/index.php?title=Patreon&
oldid=843691094.
[2] https://labs.detectify.com/2015/10/02/how-patreon-got-
hacked-publicly-exposed-werkzeug-debugger/.
[3] https://motherboard.vice.com/en_us/article/xywedn/
crowdfunding-site-patreon-gets-hacked.
[4] https://motherboard.vice.com/en_us/article/qkvgj3/the-
whole-works-is-in-there-hackers-dump-data-from-
patreon-crowdfunding-site.
[5] https://arstechnica.com/information-
technology/2015/10/gigabytes-of-user-data-from-hack-
of-patreon-donations-site-dumped-online/.
[1] http://aitype.com/about-us/.
[2] http://www.zdnet.com/article/popular-virtual-keyboard-
leaks-31-million-user-data/.
[3] https://thehackernews.com/2017/12/keyboard-data-
breach.html.
[4] https://mackeepersecurity.com/post/virtual-keyboard-
developer-leaked-31-million-of-client-records.
[1] https://www.svakom.net/about_us.
[2] https://www.pentestpartners.com/security-
blog/vulnerable-wi-fi-dildo-camera-endoscope-yes-
really/.
[3] https:
//motherboard.vice.com/en_us/article/53847a/camera-
dildo-svakom-siime-eye-hacked-livestream.
Egor Homakov hat das Verhalten über den Rails-Bucktracker als Bug
reported [3], wurde als “works as designed” abgetan
Homakov hat sich über eine Mass-Assignment-Vulnerability
admin-Zugang zum Repository von Ruby on Rails verschafft
Damit erneut auf den Bug aufmerksam gemacht
Ausnutzung des Bugs von diesem Vorfall abgesehen? Keine Ahnung!
1
In aktuellem Rails möglicherweise nicht mehr zutreffend
Jens Krafczyk <krafczyk@smartsquare.de> Security mistakes by example 2018-06-13 30 / 49
Github/Rails, 2012 (Quellen)
[1] https://en.wikipedia.org/w/index.php?title=GitHub&
oldid=844530489.
[2] https://en.wikipedia.org/wiki/Ruby_on_Rails.
[3] https://github.com/rails/rails/issues/5228.
[4] https://blog.erratasec.com/2012/03/rubygithub-hack-
translated.html.
[5] https://arstechnica.com/information-
technology/2012/03/hacker-commandeers-github-to-prove-
vuln-in-ruby/.
[6] http:
//guides.rubyonrails.org/v3.2.9/security.html#mass-
assignment.
Benutzer haben Seiten gesehen die für andere generiert wurden (z.B.
andere Sprachen, fremde Accountseiten, ...)
“As no unauthorized actions were allowed on accounts beyond the
viewing of cached page information” [3]
Positiv: Klare und detaillierte Kommunikation durch Valve
[1] https://en.wikipedia.org/w/index.php?title=Valve_
Corporation&oldid=844190151.
[2] https://en.wikipedia.org/w/index.php?title=Steam_
(software)&oldid=844529491.
[3] https://store.steampowered.com/news/19852/.
[4] https://www.theverge.com/2015/12/25/10665814/valve-
steam-holiday-sale-security-problems.
[5] https://www.reddit.com/r/Steam/comments/3y7r0b/do_not_
login_to_any_steam_websites/.
“you can’t leave a website exposed nowadays for even a day (or
less).” [2]
SQL-Injections sind vermeidbar (Prepared Statements mit parameter
binding)
Web Application Firewalls helfen nicht, wenn man sie ausschaltet
[1] https://www.wired.com/story/critical-intel-flaw-breaks-
basic-security-for-most-computers/.
[2] https://arstechnica.com/information-
technology/2016/08/new-attack-steals-private-crypto-
keys-by-corrupting-data-in-computer-memory/.
[3] https://www.f-secure.com/en/web/labs_global/fsc-2018-2.
[4] https://www.securityweek.com/critical-vulnerability-
symantec-av-engine-can-be-exploited-sending-email.
[5] https://www.evonide.com/side-channel-attacking-
browsers-through-css3-features/.
[6] https://docs.microsoft.com/en-
us/vsts/articles/security-validation-cicd-pipeline.