Monthly Archives: November 2017

Root user vulnerability in macOS High Sierra

It has been discovered that you can get root permissions on a macOS system running High Sierra without any password. To test, click on the padlock in any System Preferences dialog and enter root as the username and keep the password to blank. Now click Ok (or whatever the confirmation button is) twice and you have root privileges!

This is like the worst nightmare ever, but note that the attacker needs to have physical access to the machine. Until Apple sends the patch, the easiest way to secure the system is by changing the root password as described here: https://support.apple.com/en-us/HT204012

Unfortunately it looks like the vulnerability was publicly disclosed without letting Apple know and waiting for a patch.

Imgur hacked

Imgur has apparently been hacked in 2014 and this has come to light only a few days back. 1.7 million emails and passwords have been leaked – passwords encrypted with SHA256. (Imgur has been using bcrypt since 2016, though)

From the article:

Although in an ideal world Imgur would never have been hacked in the first place, I believe that the company should be commended on two counts.

Firstly, Imgur didn’t ask users when they created accounts to enter any extraneous unnecessary information – such as real names, dates of birth, addresses, or phone numbers that could have made this breach much more damaging to its victims. There’s a great deal to be said for companies limiting the amount of information that they ask from their users – the less they store about you, the less they can lose.

One of the key requirements in GDPR is that websites collect only the minimum personal data necessary to perform its operations. It will be very hard to keep the user stores from being pwned, but having the least possible amount of data in them definitely helps lessen the damage.

The curse of knowledge

I came upon an article titled Are You Suffering From the Curse of Knowledge? recently in a reddit thread.

Another famous example is that of an extremely successful salesman for IBM who was asked by an interviewer why he was so good at sales, to which he responded, “It’s because I stopped coughing!”

A couple of experts in sales were so confounded by his answer that they decided to examine him more closely. After a while they found that he was actually doing a lot of things really well—he was using a ton of sales tactics brilliantly, he just wasn’t aware of it. He was naturally talented at sales.

The moral of this little story is that the IBM sales guy falsely attributed the reasons for why he was so successful.

The secrets of success from the top scorers in an examination might actually not be the secret sauce that led them to those results. Sometimes it’s not obvious why someone is doing really good.

How can you tell the type of a void pointer?

TLDR: You can’t

There’s a writeup on a newly found vulnerability in Adobe Acrobat Readers:

We all know that void pointers are by definition typeless, may point to any object, and any object may be cast to it. But surely, after we’ve cast an object pointer to a void pointer, it’s still possible somehow to detect its origin type, right? Not quite.

Once an object is cast to a void pointer, it’s absolutely impossible to detect its origin type. So, how do we check the type of a void*? The answer is that we don’t. And when you try, what you get is a vulnerability.

In case you’re not familiar with void pointers in C/C++, you can assign _any_ pointer to a void pointer, regardless of the type.

void *ptr = any_ptr;

This can be helpful if you don’t know what kind of a pointer you will receive in a function, etc. But usually it’s better to avoid them like the plague.

Hashes and Nonces in CSP

Troy Hunt has a nice article about inline-scripts and CSP with some practical examples.

By default the following CSP directive will block all inline scripts:

Content-Security-Policy: default-src 'self'

The most straight-forward way to remove the restriction is to add unsafe-inline but it disables all the defenses against inline scripts and XSS. Thankfully you have two alternatives: using a hash or a nonce. (TIL!)

If the script is static (the content does not change), you can add a SHA-256 hash of the script to the CSP directive, so the script will be whitelisted.

Content-Security-Policy: default-src 'self'; script-src 'sha256-blLDIhKaPEZDhc4WD45BC7pZxW4WBRp7E5Ne1wC/vdw='

However, if the script is prone to change, you have the option of adding a base64-encoded nonce (random value) to both the CSP directive and the script tag.

Content-Security-Policy: default-src 'self'; script-src 'nonce-4AEemGb0xJptoIGFP3Nd'
<script type="text/javascript" nonce="4AEemGb0xJptoIGFP3Nd">

Summary of Chrome Dev Summit 2017 Videos

Dan Fabulich has a post titled I Watched All of the Chrome Dev Summit 2017 Videos So You Don’t Have To:

tl;dr: Google wants you to build PWAs, reduce JavaScript file size, use Web Components, and configure autofill. They announced only a handful of features around payments, authentication, Android Trusted Web Activities, Chrome Dev Tools, and the Chrome User Experience Report.

Check out the full post for a more detailed summary.

This is three weeks old and I kept putting off posting this in AH. It’d be super cool if someone wrote TLDRs for all conferences happening everywhere.

Friendly advice

Tweet by sarah_edo:

A lot of people, mostly university friends, called me during last month after they learned that I was unable to walk due to a leg injury. People don’t forget to leave some advice during the calls. These include:

* Migrate to another country (from those who have already migrated to other countries)
* Live for a few years in a different country (from those who are abroad temporarily for work reasons)
* Marry ASAP (from those who are married)
* It’s time I should marry and have some kids (from those who are married and have kids)
* Build a house (from those who own houses)
* Switch to a better car (from those who have more expensive cars)
* Get the shit together (from someone who has theirs together, probably)

I’m not bluffing – this is 100% real. I’m thankful for all the advice, but I feel worse than ever now.

How Computers make Random Numbers

Came across an easy-to-follow article on how random number generators, or LCGs, work.

One thing we haven’t addressed yet, is the issue of deciding the initial seed. We could fix it to some constant number. This is useful in cases where you need random numbers, but they have to be the same every time the program is executed — generating the same map every game for example.

Another way to decide the seed is to fetch it from a source that is different each time the program is executed — like the system time. This useful in a case where a general random number is needed, like a program to simulate a dice roll.