This Week in Security: XcodeSpy, Insecure SMS, and Partial Redactions

There seems to be a new trend in malware, targeting developers and their development and build processes. The appeal is obvious: rather than working to build and market a malicious application, an attacker just needs to infect a development machine. The hapless infected developers can now do the hard work to spread the malicious payload.

The newest example is XcodeSpy, discovered by a researcher who chose to remain anonymous. It works by using the Xcode IDE’s Run Script function to, well, run a script that completely backdoors your computer. The instance was found in a repackaged open source project, TabBarInteraction, but they’re just innocent victims. It was simple enough for someone to insert a script in the build process, and distribute the new, doped package. It’s probably not the only one out there, so watch out for Run Scripts with obfuscated payloads.

Drupal Module Security

Drupal is much like WordPress, in that the core project has very few serious vulnerabilities, but very serious problems are often found in the library of available extensions. Case in point, the Fast Autocomplete module has a “moderately critical” vulnerability. There are two interesting points here. The first is the problem itself, which is a data exposure issue. This extension provides a search bar experience that shows suggested auto-completions, and provides snippets associated with that auto completion. By default, those search results are limited to what an anonymous user can access on the site. The extension also provides the option to search private content, using the permissions available to the user accessing the site. The problem is that the extension caches all those results, and doesn’t properly segregate the results in the cache. So, once a privileged user has searched for something private, any user can repeat the search and access the snippets, even though that information is on a non-accessible page.

Drupal does something interesting, called their Security Advisory Policy. To put it in a nutshell, the Drupal team selects a handful of extensions that are widely used, and provide limited security support for those projects. This seems primarily mean coordinating vulnerability announcements.

Cell Number Dangers

You know how almost every online service wants to know you cell number? One of the reasons is that receiving a text message is one of the most popular second factor of authentication, not to mention account recovery mechanisms. While this is popular, it’s a horrible idea. There have been multiple attacks against SMS that easily lead to account takeover through this recovery procedure. An attacker can call your mobile provider and request a new SIM card for your number, known as a SIM swap attack. They can spoof your identity to the SS7 network, leading to SMS and voice call spying. And don’t forget the ever popular number migration fraud, where an attacker claims to be you, moving your number to a new provider.

It turns out, there’s an even easier way to intercept SMS messages. [Lucky225] has been intrigued by SMS fraud for years, and brings us his work on SMS Routing. NetNumber ID is a routing service intended for VoIP and business users to handle text messages, even though they aren’t using a traditional SMS device. There is a distinct lack of oversight over this process, and until recently, it was possible to hijack any cell number’s SMS routing through a simple request. Vice has a rather nice example of [Lucky225] demonstrating the attack, using $16 and a fake Letter of Authorization.

Zoom Showing Too Much

Oversharing on Zoom is one of the fun, cringey, and sometimes disturbing collective memories we have of 2020. From roommates walking into the shot, to meetings sans pants, it was a crazy time. There’s another way to overshare, at least when you’re sharing a video feed of your desktop or an open application. It’s common sense not to leave anything sensitive open on your machine when you’re sharing your desktop view. However, a pair of researchers from SySS discovered that even when sharing only an application, other application windows may briefly appear in the video feed.

When a different application is drawn on top of the one captured by Zoom, a few frames of the sent video may contain the image of that application. If the call is recorded by one of the other parties, they can pull the frame and see exactly is unintentionally visible. Now this is usually going to be as mundane as seeing what browser tabs are open, or getting a look at notes for the call. From a password manager, to personal information, there are certainly ways this bug could end very badly.

Partial Redaction

Mostly Redacted RSA KeySpeaking of unintentional data exposure, I came across a fun story about a partially redacted RSA key that was posted online. As our lot are wont to do, a few crypto geeks set about trying to figure out the whole key from the partial screenshot. Within three hours, they had deduced the full key. The write-up states that the hardest and most time consuming element was converting the screenshot back into text.

There have been many stories over the years about redaction failures.  Redacted PDFs can sometimes be read through simple copy and paste. In some images, you can figure out text based on a single row of pixels visible above and below the deleted text. And finally, the simple blurring tools from photo editing suites are reversible, leading to easily recovered text. All this to say, doing redaction properly can be very difficult, and as the writeup concludes, “if you find something private, keep it that way.”