Home / Companies / Detectify / Blog / October 2018

October 2018 Summaries

4 posts from Detectify

Filter
Month: Year:
Post Summaries Back to Blog
Detectify provides major security updates every two weeks, enhancing their tool with new findings and improvements from their security researchers and the Crowdsource ethical hacker community. While not all updates can be disclosed due to confidentiality agreements, they are immediately integrated into the scanner for users. Recent updates include the addition of tests for three high-severity exploits reported by ethical hackers, which were incorporated into the Detectify scanner on October 19. These vulnerabilities include CVE-2018-18069, a stored cross-site scripting flaw in the WordPress wpml plugin, CVE-2018-2894, a remote code execution issue in Oracle WebLogic, and CVE-2018-1673, a reflected cross-site scripting vulnerability in IBM WebSphere Portal. Users are encouraged to scan for these vulnerabilities and can start a free trial or log in to check their assets.
Oct 19, 2018 272 words in the original blog post.
Grant McCracken, Sr. Manager of Solutions Architecture at Bugcrowd, discusses the evolution and expansion of crowdsourced security and ethical hacking, highlighting the increasing acceptance of bug bounty programs by a diverse range of industries beyond tech giants, including banks and car manufacturers. Initially entering the security field as an Application Security Engineer and later transitioning through roles at Bugcrowd, McCracken has witnessed the industry's shift towards embracing open-scope bounty programs, which allow for more comprehensive vulnerability discovery. Despite some organizations' initial hesitance to engage with crowdsourced security due to concerns about exposing vulnerabilities, McCracken emphasizes the importance of collaboration with ethical hackers to enhance product security. The community's growth is evident as more individuals can now make a living from bug bounty hunting, and Bugcrowd supports the trend by helping companies manage vulnerability disclosure programs. Looking ahead, McCracken sees the future of crowdsourced security becoming more mainstream, while stressing the need for companies to remediate vulnerabilities swiftly to maintain the effectiveness and motivation of security researchers.
Oct 17, 2018 1,342 words in the original blog post.
Online media channels heavily rely on ad placements as a revenue stream, but the use of iframe busters for ad delivery introduces vulnerabilities, notably cross-site scripting (XSS), affecting about 2% of websites, including many in the media sector. Iframes are used to embed ads, but come with restrictions that iframe busters bypass, often without sufficient security measures, allowing potential exploitation by malicious actors. Despite past efforts by companies like Google to remove vulnerable files, many websites remain at risk, as highlighted by a recent report from Randy Westergren, which prompted further scrutiny by security researchers. The presence of XSS vulnerabilities poses significant risks, allowing attackers to execute JavaScript under a website's domain, leading to potential data theft and content manipulation, although it requires user interaction with a crafted link. This issue affects websites regardless of whether they handle sensitive data, as it can undermine user trust and site reputation, particularly for media companies with user data due to subscriptions and paywalls. Websites are encouraged to audit and secure their iframe busters, with tools like Detectify offering tests for such vulnerabilities, ensuring the continued safety and sustainability of ad revenue streams.
Oct 04, 2018 1,137 words in the original blog post.
Detectify delivers major security updates every two weeks to keep its tool current with new vulnerabilities, features, and improvements sourced from its security researchers and the Crowdsource ethical hacker community. Although confidentiality agreements prevent full disclosure of these updates, they are immediately incorporated into the Detectify scanner and made available to users. Recent vulnerabilities added to the scanner include iframe buster DOM-XSS, phpMyAdmin CSRF issues, Caucho Resin XSS, and several other security concerns affecting popular tools such as WordPress plugins and network monitoring software Nagios. These vulnerabilities can expose sensitive information or allow unauthorized code execution, highlighting the importance of regular security scans. Detectify encourages users to begin scans for these vulnerabilities and offers a free trial for new users.
Oct 04, 2018 483 words in the original blog post.