AppSec Weekly
Posts
Issue #1 - AppSec Weekly 🛡️

Issue #1 - AppSec Weekly 🛡️

Your go-to source for the latest in application security trends, tools, and insights!

Shiva
January 17, 2025

AppSec Weekly

Millions of Accounts Vulnerable due to Google’s OAuth Flaw

A critical flaw in Google's "Sign in with Google" authentication allows attackers to hijack accounts by acquiring defunct domains and recreating former employees' email addresses. This vulnerability exposes services like Slack, Zoom, and HR systems to unauthorized access, potentially compromising sensitive data. Despite initial reports, Google classified the issue as "Won't fix," but later re-engaged and is working on a solution. Until a fix is implemented, millions of accounts remain at risk.

DoubleClickjacking: A New Era of UI Redressing

A new attack called DoubleClickjacking exploits a timing flaw between clicks to hijack user actions, bypassing traditional security measures like X-Frame-Options and CSP. By tricking users into double-clicking, attackers can authorize malicious applications, take over OAuth sessions, and manipulate account settings. Major platforms, including OAuth-based services, are vulnerable, making this a widespread security risk. While JavaScript-based mitigations can help, long-term browser solutions are needed to prevent such UI manipulation attacks.

Snyk security researcher deploys malicious NPM packages targeting Cursor.com

A Snyk security researcher published malicious NPM packages named "cursor-retrieval," "cursor-always-local," and "cursor-shadow-workspace," targeting AI code editor company Cursor.com. These packages collected system data, including environment variables, and sent it to an attacker-controlled server. The packages have since been removed, and Snyk stated the research was not intended to be malicious.

Trusting clients is probably a security flaw

Exploiting vulnerabilities on an untouched (i.e., non-rooted and unmodified) Android device typically involves targeting weaknesses in client-side application logic. In the case of the McDonald's app, the vulnerability stemmed from the app assigning coupons on the client side after receiving validation from the server. This design flaw allowed attackers to intercept and manipulate the communication between the app and the server using tools like proxy servers. By altering the data packets during this exchange, attackers could assign unauthorized coupons or modify order details without needing to root the device or alter its system integrity.

🛠️ Code & Tools

💼 PostgreSQL Anonymizer

PostgreSQL Anonymizer is a database extension that masks sensitive data in Postgres databases⁠⁠. It offers 5 masking methods and various masking functions⁠⁠, enabling secure data anonymization directly within PostgreSQL for compliance and testing⁠⁠.

💼 HardBreak - a Hardware Hacking Wiki

The HardBreak Wiki is a collaborative platform for hardware hacking knowledge. It covers essential tools, methodologies, and protocols for hardware hacking, including UART, JTAG, and RFID.

And that’s a wrap for this week! If you enjoy this curated issue, feel free to forward or share it with your appsec folks. For feedback, hugs, bugs or chats drop an email to [email protected]