Skip to main content

Search

Items tagged with: applicationsecurity


People following my account for a while probably noticed me talking about South Korea every now and then. I’ve hinted towards doing some important research, and now the time has finally come for the first disclosures.

But first I need to do a bunch of explaining because most people (my past self from a few months ago included) are largely unfamiliar with the Korean software landscape. See: they have those “security” applications that everyone has to install if they want to use online banking for example.

What could possibly go wrong with applications developed by private vendors without any kind of security vetting and that everyone in a country has to install, whether they like it or not? A lot of course.

In this first blog post I explain how in my limited understanding the current situation came about, show why the companies lack incentive to really invest in security and give you a first slight idea of the disastrous consequences.

No, I’m not exaggerating. The next blog post is scheduled for January 9th, and it will be about a specific application. I submitted seven vulnerability reports for this one. It took a real issue and claimed to have solved it – by making matters considerably worse than they were.

palant.info/2023/01/02/south-k…

#infosec #ApplicationSecurity #privacy #korea


People wonder why I am always so harsh on #LastPass. Thing is, I’ve been watching them ignore security risks for years. Yes, things that they are being warned about again and again, yet they choose not to address them.

You think unencrypted URLs are bad? Take a look at this seven years old presentation by Martin Vigo and Alberto Garcia Illera: blackhat.com/docs/eu-15/materi…. Starting with page 69 it explains how the custom_js feature could be abused to extract users’ passwords.

Guess what, this feature is still present and used on PayPal for example. Still no encryption and nothing to protect the users. No change whatsoever in at least seven years that LastPass was made aware of this issue.

Instead, when disclosing #LastPassBreach they again lie that they don’t have access to your passwords. But they do. Anyone with access to their server does. NSA could order them to extract your passwords. Hackers who gain access to their server could abuse this to get your passwords. Or just to run their JavaScript code on any website, and then they don’t even need your passwords.

And that’s only one out of the many documented backdoors that LastPass chooses to ignore, both in terms of implementation and their public communication.

#infosec #ApplicationSecurity