Australia has released a new app to help fighting off Covid-19. Even before this app was released it sparked lots of discussions and now many people, myself included, are reverse engineering the app and trying to understand its shortcomings and risks.
It has been a few months since I last investigated a phishing attack. So I got this on my LinkedIn.
I thought it would be fun to do investigate that phishing attack. Here is what I did:
Update: CVE created CVE-2018-1000850. For some reason, the wording on the CVE is quite confusing. That is not what I submitted. Hope they fix it soon.
Retrofit is a type-safe HTTP client for Android and Java developed by Square, Inc. It is a very popular library with over 30k starts in Github and more than 120 contributors.
I found a path traversal vulnerability when using encoded=true on @Path parameters. Below is an unit test reproducing the issue. This test was added on RequestFactoryTest class (it is not upstream though).
Last week, I had the opportunity to attend the awesome AppSecDay. It was such an incredible event where I could present a little of what I know about AppSec and watch many other great talks too. I was so glad to see developers with different levels of security expertise to showing up to improve their security skills. Great shout out to all AppSec organisers!
It was a very inspiring event that made me reflect on many things regarding AppSec and security in general. I didn’t know what kinda of public would attend AppSecDay. In my mind it would be an event attended mostly by security professionals. I was very surprised to see that around 60% in the audience were developers like me!
There were some great talks at the event and I managed to watch a few of them. All of them were recorded, I believe, and will be made available at some point. In this blogspot I want to talk what AppSecDay (and the great talks I’ve watched) made me reflect upon.
A friend of mine has received this message recently:
It was obviously phishing. This friend never had a Suncorp account and the domain name is not even similar to the actual domain. Also, part of the URL contained the phone number (which is redacted on the print) and no bank would ever do that! Most people would discard a message like that. Well, I got interested to understand how this phishing attack work so I started to investigate!
Update: CVE created CVE-2018-1000632
dom4j is a well known java library to process and generate XML files.
In version 2.1.1 they fixed an issue regarding a XML injection on element and attribute names.