IT Security

❗️Disclosure: I work at Pitch since December 2021. This write-up aggregates public knowledge previously shared by third parties (e.g., security firms, infosec community, etc.) or us. I hope this can be helpful for younger security teams that need to understand how to identify and mitigate phishing abuses for the first time. Threat model When you work in the startup ecosystem long enough, you learn that company cybersecurity risks are not only related to IT failures or the OWASP Top 10 but also to reputation. It doesn’t matter if your infrastructure is solid and redundant, if your engineers follow best practices, if you have real-time monitors and alerts in place, or if you implement other good practices: if stakeholders don’t trust your security standards, you are not secure in their eyes. This is why startups and companies invest money and time into security certifications like ISO 27001 or SOC 2 Type 2 (though this is a controversial topic, and I have strong opinions on it, I won’t delve into that now). ...

❗️Disclosure: I worked at Smallpdf from January to November 2021. In that period, Smallpdf used PDFTron WebViewer SDK (now Apryse PDF WebViewer) to render PDF files in the browser. This information was public. Interview and first XSS in PDFTron WebViewer In October 2020, I started my job interview with Smallpdf for a Cloud Security Engineer position. During the interview process, I began to use Smallpdf as a service to “play” with it, and being a web application that renders PDF files, I tried to exploit PDF files to inject arbitrary Javascript code. ...

During last spring (2019) I started to “open and read” the Android applications before installing them. Reversing an APK file can be interesting to understand how an app works, how it manages the permissions and my data, if there are vulnerabilities. I was looking for a different Android mail client, so I started to reverse them and I found many mail clients on Play Store were - maybe are - vulnerable to Javascript injection. I found eight important apps vulnerable to cross-site scripting: Newton Mail 10.0.23, Nine Email 4.5.3a, Blue Mail 1.9.5.36, Edison Email 1.7.1, Email TypeApp 1.9.5.35 and Spark 2.0.2 + two apps I can’t disclose now. In April and May 2019 I wrote to vendors of these apps, but only someone replied to me. ...

Info Vendor: D-Link Italia Product: Router DVA-5592 Firmware: DVA-5592_A1_WI_20180823 CVE: 2018-17777 Shodan: ADB Broadband HTTP Server" title:“D-Link” Description In the router D-Link DVA-5592 it is possible to bypass the web authentication form. The problem is the path /ui/cbpc/login, because it is accessible without authentication. If the router’s owner has not changed the Parental Control PIN, it is possible to access to the Parental Control area, by using the default PIN code. Now, by editing the path of the cookie sid, the login form can be bypassed. ...

A few days ago some researchers discovered an HTML Injection vulnerability in Signal Desktop and they wrote a public disclosure. The Signal team quickly released an update on May 11th, the problem was in the file /js/views/message_view.js. Reading the changes to message_view.js, it seemed that the Signal team had only fixed the “problem of the URL". So, maybe, I could still inject HTML code somehow. In Signal Desktop there are not many features, so I have tried to write me a basic message: <b>PROVA</b>. Obviously nothing happened. So I have tried to use the feature Reply to message, and BINGO! My original message <b>PROVA</b> has become PROVA. So, it was still possible to inject HTML code in Signal Desktop. I have tried to run javascript code, but it was blocked from the Content Security Policy, like in the first report. To run javascript code in the victim’s Signal Dekstop, first the victim must download a malicious HTML / js file, then the attacker can run it with the src attribute. Obviously the attacker must know the file path on the victim’s computer. Another interesting attack, without javascript, is to use ping attribute to find the IP address of the victim (thanks to Fabrizio Carimati (@clodo76) for this idea). ...