- CramHacks
- Posts
- CramHacks Chronicles #57: Weekly Cybersecurity Newsletter!
CramHacks Chronicles #57: Weekly Cybersecurity Newsletter!
A 15-year-old collected $50K+ in bounties, command-jacking via entry points, Sonatype's 10th Annual State of the Software Supply Chain Report, and more!
Hello! I hope you’re having a great week 🙂.
This week, I’ll be experimenting with a new format. The email version will consist of ultra-short descriptions. For more comprehensive summaries and personal takes, check out the web view!
I was on The Elephant in AppSec Podcast! We discussed open-source software, CISOs having questionable purchase power, getting banned from a cybersecurity subreddit, and more!
Sonatype’s 10th Annual State of the Software Supply Chain Report
Consumption and risk discoveries from analyzing data from over 7M OSS projects.
Key findings:
In 2024, there will be over 6.6 trillion open-source package downloads
Over 512,847 malicious packages have been identified in the past year
80% of application dependencies remain un-upgraded for over a year
95% of these vulnerable versions have safer alternatives readily available
Only 762K of the over seven million open-source packages are actively used
This New Supply Chain Attack Technique Can Trojanize All Your CLI Commands
Checkmarx’s Yehuda Gelb & Elad Rapoport abuse entry points for command-jacking.
Packaging systems offer entry points, a feature enabling specific functionality of a package to function as a cli command. Therefore, a compromised package could be modified to alter common cli commands to trigger malicious code (command-jacking) instead.
👋 This is a very legitimate concern. Especially in the case of CI/CD environments, as the blog describes, where commands could be overwritten to leak secrets.
1 bug, $50,000+ in bounties, how Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies
A 15-year-old collected $50K+ in bounties after Zendesk rejected his bug submission.
hackermondev (AKA Daniel) discovered a vulnerability in Zendesk, which consisted of sending a spoofed email to an support+id{id}@company.com
email handled by Zendesk. Because of the email collaboration feature, you could impersonate the original sender and Cc an email address to add to the ticket.
The original HackerOne submission was rejected because Zendesk considered email spoofing out of scope. So Daniel chained this vulnerability with known security risks with OAuth and accessed corporate slack servers for bounties from affected Zendesk users 🧠.
👋 You read that right—a 15-year-old. Not only is the finding impressive, but the research summary is, too. Please stay out of jail.
The useful uselessness of SBOMs
Josh Bressers suggests a hug or McRib for those who overwhelmingly hate SBOMs.
👋 I don’t hate SBOMs, but I do hate a lot of the hype surrounding them. If you haven't already, check out the CramHacks blog post: Software Bill of Materials (SBOM): The Gateway Drug to Supply Chain Security!
Bomber: Open Source SBOM Analyzer
Created to scan closed-source SBOMs provided by vendors for security vulnerabilities.
Mozilla: Behind the Scenes: Fixing an In-the-Wild Firefox Exploit
Mozilla shipped a fix for a remote code execution vulnerability within 25 hours.
👋 The article mentions the time to remediate, and it’s impressive, but how? I’m surprised Mozilla isn’t more transparent on this—or maybe they are, and it’s just not referenced.
A Security Review of Gradio 5 - by Trail of Bits
Eight high-severity findings; full public report detailing 27 total findings.
Gradio pre-emptively had their v5.0 release assessed by an independent firm, Trail of Bits, and remediated all findings before the official release 🤯.
👋 You’ve got to respect that. Also, I love open-source software security assessments. Especially those done by world-leading firms. These are fantastic examples of quality reports.
Uncovering Path Traversal Vulnerabilities in Open Source
Nishant Jain & Kartik Sharma discuss path traversal issues found in OSS projects!
👋 This piqued my interest, as I’ve been building infrastructure for scaled security scanning of open-source software in my free time. I am seeing a reasonably good True Positive rate for path traversal vulnerabilities, which are typically very quick to triage.
It helps that Semgrep Pro has taint rules for popular libraries like Flask and FastAPI 🔥.
curl bug-bounty stats
Reported bugs have paid out a total of $84,260 for 69 confirmed vulnerabilities.
Daniel Stenberg shares how the curl project, once uncertain about bug payouts, now partners with the Internet Bug Bounty (IBB) and instead generates revenue by receiving a cut.
👋 The IBB is a crowdfunded bug bounty program hosted by HackerOne. It currently sponsors twenty-one open-source projects, and payouts have exceeded $120K for 2024 thus far.
Canonical Releases Ubuntu 24.10 Oracular Oriole
Includes OpenVEX and OSV formats for vulnerability reporting by default!
EPSS Scores in the GitHub Advisory Database
GitHub Security Advisories now include EPSS scores on the advisory details page.
Until Next Time! 👋
Hey, you made it to the bottom – thanks for sticking around!
Questions, ideas, or want to chat? Slide into my inbox! 💌
Don’t hesitate to forward if someone could benefit from this.
See you next Monday!
-Kyle
P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.