Security News

Cambridge University researchers have detailed a new way targeted vulnerabilities can be introduced into source code while making them invisible to human code reviewers, allowing for extensive supply-chain attacks. "We have discovered ways of manipulating the encoding of source code files so that human viewers and compilers see different logic. One particularly pernicious method uses Unicode directionality override characters to display code as an anagram of its true logic," professor Ross Anderson explained.

A novel class of vulnerabilities could be leveraged by threat actors to inject visually deceptive malware in a way that's semantically permissible but alters the logic defined by the source code, effectively opening the door to more first-party and supply chain risks. Dubbed "Trojan Source attacks," the technique "Exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers," Cambridge University researchers Nicholas Boucher and Ross Anderson said in a newly published paper.

Academic researchers have released details about a new attack method they call "Trojan Source" that allows injecting vulnerabilities into the source code of a software project in a way that human reviewers can't detect. "The trick is to use Unicode control characters to reorder tokens in source code at the encoding level," reveals Nicholas Boucher, one of the researchers that discovered Trojan Source.

Named "Trojan Source attacks," the method "Exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers," Cambridge University researchers Nicholas Boucher and Ross Anderson said in a paper published on Monday. The researchers have coordinated disclosure with 19 organizations, many of which are now releasing updates to address the security weakness in code compilers, interpreters, code editors and repositories.

Really interesting research demonstrating how to hide vulnerabilities in source code by manipulating how Unicode text is displayed. We have discovered ways of manipulating the encoding of source code files so that human viewers and compilers see different logic.

Interactive livestreaming platform Twitch acknowledged a "Breach" after an anonymous poster on the 4chan messaging board leaked its source code, an unreleased Steam competitor from Amazon Game Studios, details of creator payouts, proprietary software development kits, and other internal tools. The Amazon-owned service said it's "Working with urgency to understand the extent of this," adding the data was exposed "Due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party."

An attacker claims to have ransacked Twitch for everything it's got, including all of its source code and user-payout information. Twitch's announcement came days after Black and LGBTQ Twitch streamers, fed up with torrents of racist and transphobic hate, boycotted the service for 24 hours in the #ADayOffTwitch protest.

Links to torrents that contain 128GB of data supposedly pulled from the Amazon-owned Twitch streaming service have been posted to 4chan. Without a trace of irony, the anonymous poster described Twitch as "a disgusting toxic cesspool" and linked to the data, which they alleged contains the source code for the Twitch site, other bits of released and unreleased software, and data on payouts made to Twitch creators.

Twitch source code and streamers' and users' sensitive information were allegedly leaked online by an anonymous user on the 4chan imageboard. The leaker shared a torrent link leading to a 120GB archive containing data allegedly stolen from roughly 6,000 internal Twitch Git repositories.

The relevant bug fixes were officially available in the OMI source code back on 12 August 2021, more than a month ago. Like WMI, the OMI code runs as a priviliged process on your servers so that sysadmins, and system administration software, can query and control what's going on, such as enumerating processes, kicking off utility programs, and checking up on system configuration settings.