- VayFul®
- Posts
- VayFul Security Issue - July 26 2024
VayFul Security Issue - July 26 2024
VayFul Security - July 26 2024
Hi all!
Welcome back, here is your dose of VayFul Security, a list of what we are enjoying…
📰 SECURITY BYTES
Critical Authentication Bypass Vulnerability Found in Docker Engine (CVE-2024-41110) in AuthZ plugin - A critical security vulnerability (CVE-2024-41110) has been identified in Docker Engine, potentially allowing attackers complete system takeover. This vulnerability, detailed in a security advisory by Moby (GHSA-v23v-6jw2-98fq), affects a variety of Docker Engine versions. The vulnerability lies in the authorization (AuthZ) plugin functionality. #auth-bypass #docker #devops
Okta Browser Plugin Vulnerable to XSS Attacks (CVE-2024-0981) - Okta has issued a security advisory regarding a critical vulnerability (CVE-2024-0981) in their browser plugin. This vulnerability allows attackers to potentially execute malicious scripts in a user's browser, jeopardizing sensitive information and account security. #okta #sso #xss
Phishing Repos on GitHub: Unmasking the Stargazers Ghost Network - Check Point Research unveils a sophisticated network of malicious accounts on GitHub dubbed the "Stargazers Ghost Network." This network operates by creating fake repositories containing phishing links or malware archives. The accounts then "star" and "fork" these repositories, making them appear legitimate and increasing their visibility. #phishing #github #repos
Popular AI Framework, LangChain, Exposed to SSRF and Prompt Injection Vulnerabilities - A recent blog post by Palo Alto Networks' Unit 42 details vulnerabilities discovered in LangChain, a popular open-source framework for building AI applications. LangChain development team, who have since released patches to address the issues. #AI #framework #ssrf #injection
Is Google reCAPTCHA v2 Exploiting Users for Profit, Researchers Say Yes - The research claims that users solving CAPTCHAs are unknowingly contributing to a vast, free image-labeling service for Google. This "labor exploitation," as the researchers call it, generates billions of dollars in potential profit for Google through advertising and data sales. #recaptcha #labor #exploitation
🔥 INTERESTING WRITEUPS
View private repository NWO of deploy key via internal LFS API - [4000$ Bounty]
LLM01: Invisible Prompt Injection - [2500$ Bounty]
📝 BLOGS & ARTICLES
AI Missteps Could Unravel Global Security: A Stark Warning from Spectrum IEEE - A chilling article in Spectrum IEEE warns of potential pitfalls in Artificial Intelligence (AI) development. The piece raises concerns that missteps in AI design and implementation could pose serious threats to global security. The article delves into specific areas of vulnerability, such as biased algorithms and the potential for autonomous weapons. #AI #security #threats
Unquoted service paths: The new frontier in script kiddie security vulnerability reports - This Microsoft Developer Blog post by security expert Aaron Margosis revisits the topic of "unquoted service paths" – a potential security vulnerability. Margosis argues that while the findings themselves may be technically accurate, they often trigger unnecessary alarms. #unquoted #path #permission #vulnerability
Hacking Moodle Apps Via External Functions - Article by Dub Flow exposes a critical exploit allowing attackers to compromise Moodle apps through external functions.The author explores the technical details of the vulnerability and offers potential mitigation strategies. Users and administrators are advised to stay vigilant and apply available updates to address this security risk. #application #security #exploit
Your Deleted GitHub Data Might Not Be So Deleted- Anyone Can Access Deleted and Private repo data - A recent blog post by Truffle Security raises a concerning issue with GitHub's repository management system. The article highlights a design flaw that allows access to data from deleted forks, even private ones. #github #forks #exposes #private #repo #data
Visual explanation of SAML authentication - This blog post from Sheshbabu offers a clear and visually engaging explanation of Security Assertion Markup Language (SAML) authentication. Often considered a complex subject, the post breaks down the process with step-by-step diagrams and explanations. #SAML #authentication
🛠️TOOLS
Duffman -Fuzzer for Postman Collections. #API #collection #fuzzing
Dtui -Small TUI for introspecting the state of the system/session dbus. #session #introspection
Pwnat - Pwnat is a newly developed technique, exploiting a property of NAT translation tables, with no 3rd party, port forwarding, DMZ, DNS, router admin requirements, STUN/TURN/UPnP/ICE, or spoofing. #NAT #proxy
Certiception - Certiception is a honeypot for Active Directory Certificate Services (ADCS), designed to trap attackers with a realistic and attractive bait that triggers highly relevant alerts. #honeypot #ADCS
🧠 TUTORIALS & SKILL-BUILDING
Creating an AI Coding Assistant - Video tutorial to create AI coding assistance. final product! Repository: coding-assistant Please host your own local version and plug in your own GitHub/OpenAI API keys. #AI #coding
Crash Course in Deep Learning (for Computer Graphics) - The article provides a detailed explanation of deep learning fundamentals, including neural networks, layers, and activation functions, making it accessible for beginners. #deep #learning #neural #network #course
Webcast: MacOS Security: Rising Threat from State-Backed APTs - In this webcast, we delve into the state-sponsored APT threats to macOS, demonstrating case studies of the SpectralBlur and SwiftBucket backdoors and tactics used by state-sponsored actors, particularly by DPRK ones. #macos #threats #APT
Blockchain Security Series 10: Adrian Ludwig (CISO @ Tools for Humanity) - Adrian Ludwig, CISO at Tools for Humanity begins by providing an insightful overview of WorldCoin and its mission to improve trust and expand access to the global economy through blockchain technology. WorldCoin's security framework, delving into the challenges posed by decentralization and the critical role of incident response. #blockchain #security
🎁 MISCELLANEOUS
AI Security challenge - AI security CTF website to welcome prompt airlines. A series of challenges to hack into a free flight. #AI #security #CTF
Flowtoken - A UI library designed to enhance the visual presentation of streaming LLM output. #LLM #text #streaming
Unveiling the Mysteries of Machine Learning-Can a machine learn mathematical structure - Machine learning techniques to verify mathematical problems. Blog provides a foundational understanding of key concepts, including algorithms, data training, and applications of ML. #ML #mathematical #problems
AI models collapse when trained on recursively generated data - Researchers from Shumailov et al. discovered that these models collapse in performance when tasked with real-world applications. This finding highlights the importance of using diverse and reliable datasets to train robust AI models. #AI #model #limitation
🎯 QUOTE OF THE DAY
“Winning isn’t everything, but wanting to win is.”
⭐ HOW DID WE DO?
Enjoyed this newsletter? Friends don’t keep good things to themselves - forward this to your friends and have them sign up here.
That’s a wrap!
Thank you for reading,
VayFul Team