Gabriel NOct 20

Fun times, if I'm reading this right #minio decided to stop publishing new docker images one day before releasing their CVSS 8.8 privilege escalation.

I understand the VC's want their money back but making it hard for people to do security upgrades must be one of top ways to put your company valuation on fire.

Ok if the decision was made beforehand. But this is software, you can always walk back things.

https://github.com/minio/minio/issues/21647

https://github.com/minio/minio/releases/tag/RELEASE.2025-10-15T17-29-55Z

#insecurebydesign #stupid

Docker release? · Issue #21647 · minio/minio

Hello, I did not find a new image for the security release Security/CVE RELEASE.2025-10-15T17-29-55Z, on quay.io nor DockerHub. Is it expected? If it isn’t, can you please push a new release for th...

GitHub
AJCxZ0Aug 10, 2024

Of all the problems with email campaign HTTP redirects, one of the most annoying is the prevalence of insecure links, i.e. http:// I think this may account for 98.3% of all HTTP traffic outside the great firewall of China.

From: <[email protected]>
Subject: Protecting your privacy is important to us.
Date: Sat, 10 Aug 2024 04:44:04 -0400

To view the current Privacy Policy visit verizon.com/fiosprivacypolicy at any time or click on the button below.

Of course that is not linked to the URL shown, but a long referral link with tags and tracking, but at least that link and the apparent destination is secure, i.e. https://

GET https:// verizon .com/fiosprivacypolicy
HTTP/1.1 301 Moved Permanently
Location: http:// verizon .com/fiosprivacypolicy

In the footer they don't even try:

Verizon is dedicated to protecting your privacy. Please read our Privacy Policy.

where "Privacy Policy" links to a referral to an insecure link, i.e. http:// (and not the same page as the previous "Privacy Policy").

HTML Programmers never die.
HTML Programmers never learn.

#Verizon #PrivacyPolicy #NotImportantToUs #HTTPS #HTTP #HTMLProgrammers #InsecureByDesign

SubtleBlade ⚔️Jun 29, 2024

#Windows: #InsecureByDesign • The Register - https://www.theregister.com/2024/06/28/windows_insecure_by_design/?td=rt-3a

#ITSecurity #Micro$oft

Windows: Insecure by design

Get your hands off my computer, Microsoft!

The Register
Show threadDisDec 14, 2023
@BHSPitMonkey
That is a valid perspective, and I get it, but in my mind it became an incident when they forcibly declared, repeatedly and for a full week, that the design was pretty and therefor it was not flawed. If this isn't the incident that gets your particular installation in trouble, that is lucky for you, but there will be one. Their security approach is, at best, ego-driven.
I saw the new version, but I also saw that they pretended not to notice at least 8 different bugs and security reports and somehow lost 3 days between closing the public bug github.com/home-assistant/core/issues/105226 and when they claim the issue was first opened. (My security issue was filed on the 11th, and I was told it was intentional and to fuck off. And addressed by the name of someone else who opened the same issue because even cut and paste proved too hard..)

My recent longer-form take on Home Assistant security is at infosec.town/notes/9n4wb30so2knbtxw

#homeassistant @homeassistant @frenck #insecurebydesign
New Login Page - Needs disable option or untrusted hosts category · Issue #105226 · home-assistant/core

The problem When HA sits behind a proxy or traffic is rewritten with NAT in some complex network topologies, the 'real' IP of the client/endpoint is not exposed to Home Assistant, but instead logge...

GitHub
Show threadDisDec 14, 2023
@slamp @homeassistant @sammachin @frenck
ok and where is the security incident discussed?

#insecurebydesign is still #insecure, as your own blog post said..
#homeassistant #security #cve
Show threadDisDec 13, 2023
@sammachin

For #homeassistant, sparkling design beats security every time.

github.com/home-assistant/core/issues/105226
@homeassistant @frenck #insecurebydesign #security #privacy
New Login Page - Needs disable option or untrusted hosts category · Issue #105226 · home-assistant/core

The problem When HA sits behind a proxy or traffic is rewritten with NAT in some complex network topologies, the 'real' IP of the client/endpoint is not exposed to Home Assistant, but instead logge...

GitHub
Show threadDisDec 11, 2023

There is no room for ego in security. Causing a vulnerability does not make you a bad person. What matters is how you behave when you find out about your mistake. That says a lot about you as a person.

I get it though. I took another look at www.home-assistant.io/security#past-advisories and it has been a great year for security. First, one thing jumped out at me:

Non-qualifying vulnerabilities
Privilege escalation attacks for logged in usersThat is .. unpleasant. But fine. Lets see what the actual vulnerabilities have been. Maybe its hard to take over an account (or a session) and it doesn't matter that climbing from "read only user" to "full system root" is acceptable..

OK I'm back and wow, it is not a good list. "Full takeover" "full takeover" "clickjacking" "account takeover" "authentication bypass" (oh shit 'bypass' like 'bypass'?? yep! see higher in the thread) "xss" and hang on, go back. "Account takeover" is the same as "full takeover" because they don't give a shit about escalation.. So they list 10 vulnerabilities (skipping internal-project) and lets count real quick.. 3 full takeovers, 4 account takeovers, and a bunch of basic XSS/clickjacking. Except there are really 7 "full takeover" vulnerabilities, because escalation bugs are not bugs. (That same criteria would have been given to the auditors, so it is unlikely they went looking for escalation vectors.)

So there is a huge list and it is full of student-level mistakes. Could it be worse? I'm incredibly disappointed you had to ask, but yes, it can get much worse! There are clear barriers in the way of anyone filing security reports. How many other critical vulnerabilities are discovered and not reported? Most people don't enjoy fighting with this bullshit. Volunteers will just move on after the first round rather than deal with the hostility and ego. So now we have privilege escalation making every attack worse, while escalated privilege chases off volunteers.

Way to go.

@homeassistant @frenck
#homeassistant #insecure #vulnerability #security #securitybynepotism #insecurebydesign

Security

Home Assistant takes its security seriously. This page contains information about how we handle security issues, how to report them, and also information on past security issues.

Home Assistant
Show threadDisDec 11, 2023
To gather some quick links:
- Open a core bug: github.com/home-assistant/core/issues/new?assignees=&labels=&projects=&template=bug_report.yml
- frontend bug: github.com/home-assistant/frontend/issues/new?assignees=&labels=bug&projects=&template=bug_report.yml
- security vulnerability: github.com/home-assistant/core/security/advisories/new
- feature request: "I would like it to be vaguely secure" is a feature I guess. community.home-assistant.io/c/feature-requests/13

I wonder how long before someone writes up a click-bait article on this issue and their insane responses..

#homeassistant #insecurebydesign #vulnerability #disclosures
Build software better, together

GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million projects.

GitHub
Show threadDisDec 11, 2023

They closed my disclosure because saying "I meant to do that!" fixes all vulnerabilities. (Insecure by design is still insecure, it says so right there at the front!)

I explicitly DID NOT mean to do that. It is a vulnerability, even according to their own announcement:

Of course, when logging in from outside your home network, we can’t do this as that would give away privacy-sensitive information about your system and who is in it.They have yet to even admit there is an issue. Doubling and tripling down on "We know security and this is fine!"

If they close your vulnerability, open a bug report. When they close that, open a feature request. Then back to opening vulnerabilities because there must be SOME place to report this...The last release of 2023 is here, and we are going out with a bang! 🎉That is pretty true.

@homeassistant #homeassistant #security #vulnerability #insecurebydesign #securitybynepotism

Show threadDisDec 11, 2023
The bug is closed without a fix, so I encourage everyone who is affected to open a security ticket at github.com/home-assistant/core/security/advisories/new

As SuperTrollMan quoted in the ticket, the blog post directly admits that user account enumeration is a security and privacy leak, and yet somehow it doesn't apply...

@homeassistant #homeassistant #security #vulnerabilities #insecurebydesign #cve #snarkhome
Build software better, together

GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million projects.

GitHub