Recently, we spent some time looking at the support for IPsec VPNs in iOS. In particular, we where interested in whether a malicious VPN app could, in some way, attack the OS itself.
Last year Apple launched Sign in with Apple, which allows you to sigin in to services using your Apple ID. We identified a critical vulnerability in the service from Apple, which allowed an attacker to obtain authentication tokens which could be used to access a users iCloud account.
During a short review of the Jenkins source code, we found a vulnerability that can be used to bypass the mutual authentication when using the JNLP3 remoting protocol. In particular, this allows anyone to impersonate a client and thereby gain access to the information and functionality that should only be available to that client.
DNS rebinding attacks are a common attack technique against local applications, in order to bypass the same origin policy. The use of HTTPS has always been considered to be an effective mitigation against this attack. In this post we describe a new technique that enables the DNS rebinding attack against a HTTPS target.
The `SecureRandomFactoryBean` class in Spring Security by Pivotal has a vulnerability in certain versions that could lead to the generation of predictable random values when a custom seed is supplied. This vulnerability could lead to predictable keys or tokens in applications that depend on cryptographically-secure randomness. Applications that use this class may need to evaluate if any predictable tokens were generated that should be revoked.
During a code review of XenServer, we found and exploited a vulnerability in the XAPI management service that allows an attacker to bypass authentication and remotely perform arbitrary XAPI calls with administrative privileges.