Twitter | Search | |
SwiftOnSecurity Dec 3
Me: Threat-hunting rare DNS lookups in a corporate network. Confluence:
Reply Retweet Like
Tavis Ormandy Dec 3
Replying to @SwiftOnSecurity
Did you know you just dropped a 0day on twitter? 😂
Reply Retweet Like
SwiftOnSecurity Dec 3
Replying to @taviso
Wait... are you serious? They... actually embed the private cert somewhere? I was just laughing at the domain name.
Reply Retweet Like
Tavis Ormandy Dec 3
Replying to @SwiftOnSecurity
Yes, it happens sometimes, as soon as someone pulls out the key the CA is required to revoke it. They probably did it to avoid mixed-content warnings, as you can probably guess... it's not the correct solution. Anyone using this app is vulnerable to trivial MITM 😣
Reply Retweet Like
Tim Stone Dec 3
Hm I suppose that's true then of IBM's Aspera plugin client, which uses for the same kind of communication
Reply Retweet Like
Tavis Ormandy Dec 3
I just took a look, Umm.. that could be way, way worse. There's a pre-generated CA certificate and a private key, if they add that to the system store, they're effectively disabling SSL. I would consider that *critical*.
Reply Retweet Like
Tim Stone Dec 3
A fun night we're all having here on Twitter dot com then
Reply Retweet Like
Tavis Ormandy Dec 3
I really hope this isn't what it looks like, or this is another superfish. 😬
Reply Retweet Like
Tim Stone Dec 3
Offhand it doesn't look like it's added to the system store? So that's good. But I'm not sure why it's there
Reply Retweet Like
Tavis Ormandy
I can't imagine any possible way it makes sense, but you were right about the certificate, I extracted it. This needs to be revoked now and is a real vulnerability. 😬
Reply Retweet Like More
Tavis Ormandy Dec 3
I sent a mail to ssl_abuse@sectigo.com, I don't know if that's the correct address.
Reply Retweet Like
treysis Dec 5
Replying to @taviso @tmslft and 2 others
Still not revoked. Isn't now in violation of section 4.9.1.1 of the BRs? 24 hours have passed...
Reply Retweet Like