Security News > 2022 > November

Dropbox has said it was successfully phished, resulting in someone copying 130 of its private GitHub code repositories and swiping some of its secret API credentials. GitHub let Dropbox know the next day, and the cloud storage outfit investigated.

OpenSSL today issued a fix for a critical-turned-high-severity vulnerability that project maintainers warned about last week. It's not every day we're warned of a critical flaw in OpenSSL - an important software library typically used by various apps and servers to encrypt data over networks and the internet - and so infosec vendors and blogs and influencers couldn't help but hype it up, promising live feeds of pain and misery when details of the holes are revealed.

Dropbox disclosed a security breach after threat actors stole 130 code repositories after gaining access to one of its GitHub accounts using employee credentials stolen in a phishing attack. "To date, our investigation has found that the code accessed by this threat actor contained some credentials-primarily, API keys-used by Dropbox developers," Dropbox revealed on Tuesday.

OpenSSL 1.1.1 goes to version 1.1.1s, and patches one listed security-related bug, but this bug doesn't have a security rating or an official CVE number. OpenSSL 3.0 goes to version 3.0.7, and patches not one but two CVE-numbered security bugs that are official designated at HIGH severity.

At the time of publishing, the apps are still present on Google Play under a developer account called Mobile apps Group, and have a total install count of more than one million. According to a report from Malwarebytes, the same developer was exposed twice in the past for distributing adware on Google Play but it was allowed to continue publishing apps after submitting cleaned versions.

This official implementation, known as XKCP, short for eXtended Keccak Code Package, is a collection of open source library code for Keccak and a range of related cryptographic tools from the Keccak team, including their authenticated encryption algorithms Ketje and Keyak, pseudorandom generators called Kravatte and Xoofff, and a lightweight encryption algorithm for low-power processors called Xoodyak. As you can imagine, code that hashes remotely uploaded data is likely either to retrieve the entire object before hashing it locally, typically by processing a fixed-length buffer of much smaller size over and over, or to fold each received chunk into the hash as it goes, typically receiving far more modestly-sized chunks at each network call.

Version 3.0.7 of the popular OpenSSL cryptographic library is out, with fixes for CVE-2022-3602 and CVE-2022-3786, two high-severity buffer overflow vulnerabilities in the punycode decoder that could lead to crashes or potentially remote code execution. After its disclosure to the OpenSSL Project team, OpenSSL committer Viktor Dukhovni found "a second independently triggerable issue" - CVE-2022-3786.

The OpenSSL Project has patched two high-severity security flaws in its open-source cryptographic library used to encrypt communication channels and HTTPS connections. The vulnerabilities affect OpenSSL version 3.0.0 and later and have been addressed in OpenSSL 3.0.7.

The OpenSSL project has rolled out fixes to contain two high-severity flaws in its widely used cryptography library that could result in a denial-of-service and remote code execution. It's worth noting that the commonly deployed OpenSSL 1.x versions are not vulnerable.

Microsoft on Tuesday said it addressed an authentication bypass vulnerability in Jupyter Notebooks for Azure Cosmos DB that enabled full read and write access. The tech giant said the problem was introduced on August 12, 2022, and rectified worldwide on October 6, 2022, two days after responsible disclosure from Orca Security, which dubbed the flaw CosMiss. "In short, if an attacker had knowledge of a Notebook's 'forwardingId,' which is the UUID of the Notebook Workspace, they would have had full permissions on the Notebook without having to authenticate, including read and write access, and the ability to modify the file system of the container running the notebook," researchers Lidor Ben Shitrit and Roee Sagi said.