Highlight

The European Commission has launched a program that rewards the detection of bugs in its Open Source projects that underpin its public services. Bug bounty hunters will be able to receive up to €5,000 (the equivalent of 5,600 US dollars) for finding security vulnerabilities in open source software used throughout the European Union (EU), including LibreOffice, LEOS, Mastodon, Odoo and CryptPad. This program, led by the European bug bounty platform Intigriti, will also offer a bonus of 20% if a code fix for the bugs is provided by the researchers. In a statement released on January 19, the EC said it is looking for reports of security vulnerabilities such as the exposure of personal data, horizontal/vertical privilege escalation and SQL injection. The highest reward will be paid for the detection of "exceptional vulnerabilities". This latest program follows on from another program, called FOSSA, also run by the EU, which paid out more than 220,000 dollars in its 18 months of operation, and which was heralded as a "remarkable success". Speaking to The Daily Swig, Inti De Ceukelaire, head of hacking at Intigriti, said that the partnership came about last year when Intigriti led a program funded by the EC's ISA2 program. "We are committed to further nurturing the relationship with the open source communities that we have established over the last few years," said the Belgian tester. "Personally, I believe that all government bodies should have and encourage the use of vulnerability disclosure policies and introduce or adopt unambiguous laws to support vulnerability research. Bug bounties, among other crowdsourcing initiatives, are a great way to encourage this." De Ceukelaire added: "Virtually all organizations use open source projects in one way or another. Identifying and resolving security vulnerabilities in these projects has an impact at scale. The Log4j incident has shown us that supporting the security of widely used open source projects is an absolute necessity, so we can only applaud this initiative by the European Commission." The original article via The Daily Swig can be read at: https://portswigger.net/daily-swig/european-commission-launches-new-open-source-software-bug-bounty-program

A software bug introduced in Apple Safari 15's IndexedDB API implementation could be abused by a malicious website to track users' online activity in the web browser and, worse, even reveal their identity. This vulnerability, dubbed IndexedDB Leaks, was disclosed by fraud protection software company FingerprintJS, which reported the problem to the iPhone manufacturer in November 2021. IndexedDB is a low-level JavaScript application programming interface (API) provided by web browsers to manage NoSQL databases of structured data such as files and blobs. "Like most web storage solutions, IndexedDB follows a same-origin policy," according to Mozilla's API documentation. "So while you can access data stored in a particular domain, you cannot access data in different domains." The same-origin policy is a fundamental security mechanism that ensures that resources retrieved from different origins - i.e. a combination of the scheme (protocol), host (domain) and port number of a URL - are isolated from each other. This means that "http[:]//example[.]com/" and "https[:]//example[.]com/" are not from the same source because they use different schemes. By restricting how a script loaded by one origin can interact with a resource from another origin, the idea is to hijack potentially malicious scripts and reduce possible attack vectors by preventing an unauthorized site from executing arbitrary JavaScript code to read data from another domain, i.e. an email service. However, this is not the case with how Safari handles the IndexedDB API on iOS, iPadOS and macOS. "In Safari 15, on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is in violation of the same-origin policy," said Martin Bajanik in an article. "Whenever a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs and windows in the same browser session." One consequence of this privacy breach is that it allows websites to know which other websites a user is visiting, in different tabs or windows, specifically, to accurately identify users on Google services such as YouTube and Google Calendar, because these websites create IndexedDB databases that include authenticated Google user IDs - an internal identifier that uniquely identifies a single Google account. "This not only implies that untrusted or malicious sites can know a user's identity, but also allows them to link several separate accounts used by the same user," added Bajanik. To make matters worse, this leak also affects the private browsing mode in Safari 15, in case a user visits several different websites from the same tab in the browser window. "This is a huge bug," tweeted Jake Archibald, Google Chrome developer advocate. "In OSX, Safari users can (temporarily) switch to another browser to prevent their data from leaking between sources. iOS users don't have that choice, because Apple imposes a ban on other browser engines." The original article via The Hacker News can be read at: https://thehackernews.com/2022/01/new-unpatched-apple-safari-browser-bug.html

A new script malfunctioned and deleted 34 million files from the Japanese university's supercomputer, some of which cannot be recovered by backups. On December 16, Kyoto University began investigating a problem caused by a software update from Hewlett Packard Enterprise (HPE). It was discovered that approximately 77TB of files from 14 research groups had been deleted in the previous two days. Although the university has admitted that it will contact those affected, HPE itself took full responsibility and said that the update to the Japanese university's supercomputer system was originally designed to "improve visibility and readability" by deleting log files that were more than 10 days old. According to the statement issued, the US company admits that there was a "lack of consideration" in the procedure for releasing the new script, and that it was not aware of any potential side effects when it was applied. This caused a script to be overwritten while it was still running, "resulting in undefined variables" that caused the original log files on the supercomputer to be deleted "instead of deleting the [log] file saved in the directory". HPE added that measures will be taken to ensure that the problem does not reoccur in the future, including checking for updates before application and retraining the engineers responsible for preventing risks and human error. Kyoto University is Japan's second oldest university, founded in 1897. It is one of Japan's leading research-oriented institutions and has produced several Nobel Prize winners. Microsoft itself also faced a software problem earlier this year, when its Exchange servers stopped working properly when the clock struck midnight on New Year's Eve. The servers were unable to accommodate the year 2022, which led some to call it the Y2K22 bug. The original article via Silicon Republic can be read at: https://www.siliconrepublic.com/enterprise/software-error-causes-34m-research-files-to-be-lost-at-kyoto-university