Welcome to the Patchstack Weekly Security Update, Episode 50! This update is for week 49 of 2022.
This week’s knowledge share is about the lingering problems that can happen after a compromise. This is related to the recent news of LastPass reporting a secondary incident months after an initial break-in.
I will discuss this negative experience that LastPass is handling like a professional and use it as a reminder of what to do if you ever experience a compromise.
In this week’s Vulnerability Roundup, I will talk about more unpatched security bugs, and share information about a contest the Patchstack Alliance is running each week of December. Stay tuned to hear about the bonus bounty opportunities we are opening up for the holidays.
When hacks come back
Like many people this week, I received a notification from LastPass regarding a recent security incident connected to a prior security breach from a month ago.
I applaud the LastPass team for their honesty and transparency in the matter. The notification this week informed users they recently identified unusual activity in a third-party storage service.
Their investigation concluded this recent unexpected access was likely made by someone with information leaked from an incident that happened months ago in August.
Before I continue, I should also share that LastPass reiterated that customer passwords were still encrypted and were not accessed in this recent incident. However, other elements of customer data may have been accessed.
We should applaud LastPass for detecting the unusual activity in the third-party storage service and for making this information public. They are not trying to hide from their responsibilities, instead, they’re being open and showing trustworthiness.
What can we learn?
Incidents are not always one-time events. Attackers who gain access can ex-filtrate sensitive data, then later use that data to target other services at a later time.
This is just my personal speculation, exfiltrated secrets may have been what lead to the lingering hack LastPass experienced.
The attackers gained access to a developer’s environment back in August, they could have pilfered secrets like passwords or API tokens at that time. Months later they are using these secrets to access third-party systems even after the initial compromise was cleaned up.
What could have prevented this?
Always change your secrets after a breach
If your website or business experienced a compromise, then you will want to change or rotate all of your secrets to prevent experiencing a recurring hack.
What sort of secrets should you change? Here are three.
Passwords obviously. If attackers had access to read your website’s database, then they have a copy of your password hash. With a little effort, password hashes can be cracked, exposing the secret value.
WordPress secrets. The secret keys stored in your site’s wp-config.php file are sensitive data, and for the most part, easily rotated to new values.
Just visit the WordPress secret key generator and get new randomly selected values. Attackers could use these secret key values to brute force authentication tokens. In prior work as a Security Researcher, I wrote the how-to jam WordPress sessions knowing only a username and secret token value. Another Researcher Gennady Kovshenin also wrote about the importance of unique keys and salts in WordPress a year prior to my write-up.
Third-Party API keys. Finally, if you have integrations with third parties like Twitter, Apple, Google, Recurly, Stripe, Paypal, or any other service. Your site likely uses an API key to authenticate itself with that service. If this API key gets exposed during a compromise, then attackers can use it to abuse this access and interact with these third-party services as if they were your website.
This is what happened with the FastCompany breach and led to expedient damage control taken by the FastCompany security team.
There may be more examples of secrets that need to be rotated in the event of a compromise. I would recommend performing a simulated compromise.
Simply scan your site’s files and database for any secrets as if you were a malicious party and make a note of all of the secrets found and their location. Bonus points for also writing down how to rotate the value. This way, if you ever do experience a compromise you already know what sort of secrets need to be revoked and rotated to new values.
This week’s vulnerability roundup will highlight 8 plugins with unpatched security bugs reported in them in the last week.
- iws-geo-form-fields – Unauthenticated SQLi
- menu-items-visibility-control Authenticated Remote Code Execution
- export-users-data-csv CSV Injection
- aio-time-clock-lite Authenticated XSS
- apptivo-business-site Authenticated XSS
- 1app-business-forms Authenticated XSS
- content-repeater Authenticated XSS
- clictracker Authenticated XSS
The biggest concern would be that iws-geo-form-fields unauthenticated SQL injection vulnerability. WPScan has announced they will be sharing the proof of concept on December 14th, less than 10 days away. Site owners running this plugin need to disable it or find an alternative as soon as possible.
Patchstack Alliance holiday bounties
In other vulnerability news, the Patchstack Alliance is announcing this week a special contest for bug bounty reports in December.
Each week in December, starting this week, there are additional bounties paid for the alliance members who report specific categories of bugs in WordPress components.
If you are a specialist bug bounty hunter who can track down bugs like CSRF, XSS, SQLi, or RCE then you may want to put some time aside to target these bugs and submit them to the Patchstack Alliance during December. More details about the holiday bounties can be found on the Patchstack blog.
Thanks and appreciation
This week’s thanks go out to the team at LastPass for the honest, transparent, and full disclosure to customers about experiencing a breach. The LastPass team is dealing with a serious and ongoing compromise, which is a bad thing, but they are communicating to their users what they need to know about the incident as the information becomes available. Which is a good thing. Great job showing us how to show responsibility and owning the problem.
I would also like to send out some encouragement to the Patchstack Alliance team members. Good luck and go for broke with this December’s bonus bug bounty hunting! If you are interested in joining in on some bug bounty-hunting fun, you can join the Patchstack Alliance by reporting a new security bug in a WordPress component. It’s that easy.
I will be back next week with more security tips, tricks, opinions, and news on the Patchstack Weekly Security Update!