CramHacks Chronicles #57: Weekly Cybersecurity Newsletter!

I was on The Elephant in AppSec Podcast! We discussed open-source software, CISOs having questionable purchase power, getting banned from a cybersecurity subreddit, and more!

Key findings:

• In 2024, there will be over 6.6 trillion open-source package downloads

• Over 512,847 malicious packages have been identified in the past year

• 80% of application dependencies remain un-upgraded for over a year

• 95% of these vulnerable versions have safer alternatives readily available

• Only 762K of the over seven million open-source packages are actively used

Packaging systems offer entry points, a feature enabling specific functionality of a package to function as a cli command. Therefore, a compromised package could be modified to alter common cli commands to trigger malicious code (command-jacking) instead.

👋 This is a very legitimate concern. Especially in the case of CI/CD environments, as the blog describes, where commands could be overwritten to leak secrets.

hackermondev (AKA Daniel) discovered a vulnerability in Zendesk, which consisted of sending a spoofed email to an support+id{id}@company.com email handled by Zendesk. Because of the email collaboration feature, you could impersonate the original sender and Cc an email address to add to the ticket.

The original HackerOne submission was rejected because Zendesk considered email spoofing out of scope. So Daniel chained this vulnerability with known security risks with OAuth and accessed corporate slack servers for bounties from affected Zendesk users 🧠.

👋 You read that right—a 15-year-old. Not only is the finding impressive, but the research summary is, too. Please stay out of jail.

👋 I don’t hate SBOMs, but I do hate a lot of the hype surrounding them. If you haven't already, check out the CramHacks blog post: Software Bill of Materials (SBOM): The Gateway Drug to Supply Chain Security!

👋 The article mentions the time to remediate, and it’s impressive, but how? I’m surprised Mozilla isn’t more transparent on this—or maybe they are, and it’s just not referenced.

Gradio pre-emptively had their v5.0 release assessed by an independent firm, Trail of Bits, and remediated all findings before the official release 🤯.

👋 You’ve got to respect that. Also, I love open-source software security assessments. Especially those done by world-leading firms. These are fantastic examples of quality reports.

👋 This piqued my interest, as I’ve been building infrastructure for scaled security scanning of open-source software in my free time. I am seeing a reasonably good True Positive rate for path traversal vulnerabilities, which are typically very quick to triage.

It helps that Semgrep Pro has taint rules for popular libraries like Flask and FastAPI 🔥.

Daniel Stenberg shares how the curl project, once uncertain about bug payouts, now partners with the Internet Bug Bounty (IBB) and instead generates revenue by receiving a cut.

👋 The IBB is a crowdfunded bug bounty program hosted by HackerOne. It currently sponsors twenty-one open-source projects, and payouts have exceeded $120K for 2024 thus far.