IT NEWS

Getting back into the travel habit? Jumping on a plane soon? Experienced a bit of a luggage disaster and looking for help on social media? Watch out, because a lack of prior research could prove very costly.

Word has spread of a bogus Twitter account pretending to be a customer support channel of British Airways. Now suspended, the fraud operation seems to have taken a fair bit of cash before being shut down. 

Lose your luggage, find a fraud

People posting about missing luggage on Twitter quickly found their replies filling up with offers to help from a non-verified account purporting to be British Airways. The account asked for phone numbers and likely pushed for additional contact via Twitter’s private message system.

Unfortunately, these offers of help quickly turned sour. The scam account requested various forms of payment to help recover the missing luggage. Although the fakers have been suspended, a lot of replies sent their way still exist. Looking through, we can see at least one individual who was initially told that her luggage was “lost in Dallas”. To move things along, a request for payment was made using the payment system Wise.

Though initially a small amount overall, the scammers quickly ramped things up. It’s not long before the victim complained that they were being asked for even more money. Eventually, they claim to have lost out on no less than a thousand US dollars. Of course, they still don’t have any idea where their luggage has ended up. Taking these amounts from people who are overseas, with no belongings, and a now potentially cleaned out bank account is quite the vicious approach.

Avoiding the luggage assistance fakers

Here are some things you should do, and be aware of, when in transit.

• Airlines are not going to ask for additional fees or payment to help you look for your bags.
• Be wary of non-verified accounts replying to you. Is it asking for additional personal details? Phone numbers? Payment? Why?
• Go directly to the source. Use official websites, verified support channels, phone numbers listed on those official websites. You can pretend to be anyone you like on social media, and this is a ripe field for potentially costly scams.
• If you’re still not sure of the authenticity of an account you’re dealing with, go to the airport help desk. If you’ve realised your bags are missing, you’re almost certainly still in the terminal. Make full use of their availability and ensure everything and everyone you’re interacting with is the real deal.

As people slowly start to get back into the swing of travel, it’s inevitable that fraudsters will do as much as they can to rip those travellers off in any way they can. Customer support is great, but it pays to be mindful when ringing the help alarm. You never quite know who’s going to show up in response.

If you are a user of Google Chrome or any other Chromium-based web browser, then websites may push anything they want to the operating system’s clipboard without your permission or any user interaction. This means that by simply visiting a website, the data on your clipboard may be overwritten without your consent or knowledge.

Clipboard

In layman’s terms, the clipboard is where the data lives while you copy and paste, or cut and paste for that matter. Copying and pasting is such an essential part of our daily computing that most of us just do it automatically. And it can lead to undesirable results if something outside of our control decides to interfere. For example, if you used the “cut” action on a certain piece of text with the intention to paste it somewhere else, it can be a nasty surprise if something completely different gets pasted, and due to using the cut rather than copy, you may have lost the original.

Gestures

Firefox and Safari do require a user gesture before websites can copy content to the device’s clipboard. User gesture in this context means that the user is selecting content on the site and using Ctrl+C or other means to copy it to the clipboard. Chrome and other Chromium-based browsers currently have no such restriction.

Demonstration

If you’d like to see this demonstrated or if you want to check if you are somehow protected against this happening, you can visit the Webplatform News website to test your browser. All it takes is to visit the site and check the content of the clipboard afterwards. You can check the content by “pasting” to an empty text editor like Notepad. Should you get the following message in your clipboard, the browser is vulnerable to unauthorized clipboard manipulation:

“Hello, this message is in your clipboard because you visited the website Web Platform News in a browser that allows websites to write to the clipboard without the user’s permission. Sorry for the inconvenience. For more information about this issue, see https://github.com/w3c/clipboard-apis/issues/182.”

Windows clipboard manager

For Windows 10 and 11 users there is a way to retrieve overwritten items from your clipboard. These Windows versions come with a clipboard manager, although it does need to be turned on first. This can be done in the Settings menu on your computer. Under System, you’ll find a section called Clipboard. Toggle the switch to On behind Clipboard history. Windows will now start keeping track of your clipboard content. To review the history up to 25 items you can use the Win+V keys.

Not new

At Malwarebytes Labs we wrote about clipboard poisoning attacks on the Mac back in 2016. The take-away from that article in the current context is that by pasting in a sensitive place, like the Terminal on a Mac, or a Command Prompt on a Windows machine, text can become a command that gets executed.

Broken

In his article about the clipboard issue, developer Jeff Johnson states that the user gesture requirement for writing to the clipboard was accidentally broken in version 104. And although the vulnerability has been flagged, fixing it may be delayed because it breaks other functionality. Apparently, adding user gesture requirement for readText and writeText APIs breaks NTP doodle sharing. NTP Google doodles are animations that appear in some cases in Chrome when a new tab is opened. Personally, I wouldn’t miss them at all.

Mitigation

While we wait for a fix, threat actors may come up with ways to abuse this temporary vulnerability. Here are some things you can do to stay on the safe side:

• Do not open webpages between any cut/copy and paste actions.
• Check the content of your clipboard before you past into any sensitive areas. You can use any clipboard manager or just paste into a text field to see what is momentarily there. For those of you doing financial transactions this is always worth considering, since there is malware out there that can change bitcoin addresses and bank account numbers on your clipboard.

Stay safe, everyone!

Last week on Malwarebytes Labs:

• Cryptojackers growing in numbers and sophistication
• CISA wants you to patch these actively exploited vulnerabilities before September 8
• Reddit users crowdsourcing explicit images and identities
• Criminals socially engineer their way to bank details with fake arrest warrants
• Google flags man as sex abuser after he sends photos of child to doctor
• Thousands of Hikvision video cameras remain unpatched and vulnerable to takeover
• 6 reasons MSPs need a patch management platform
• How to secure a Mac for your kids
• Reset your password now! Plex suffers data breach
• ChromeOS vulnerability found by Microsoft
• Twitter security under scrutiny after former executive turns whistleblower
• Binance chief says a “sophisticated hacking team” turned him into a deepfake hologram
• Update now! GitLab issues critical security release for RCE vulnerability
• Introducing Patch Management for OneView
• Exploits and TrickBot disrupt manufacturing operations
• Source code of password manager LastPass stolen by attacker
• Adware found on Google Play — PDF Reader servicing up full screen ads

Stay safe!

Earlier this month, messaging service Twilio got compromised by a sophisticated social engineering attack. After deploying phishing attacks against company employees, hackers were able to access user data, but now it seems that the impact of the hack was more elaborate than originally assumed.

In a first update, Twilio, a cloud-based communication platform provider, revealed that the attackers also compromised the accounts of some users of Authy, its two-factor authentication (2FA) app. Outisde of Twilio, the identity authentication company Okta revealed that the data of some Okta customers was accessible to a threat actor, as well. And Signal tweeted that they, too, had been affected by the Twilio breach.

Authy

Authy is a two-factor authentication (2FA) service from Twilio that allows users to secure their online accounts by double-checking the login attempt via a dedicated app, after typing in the login credentials.

By gaining access to 2FA data, the malicious actors gained access to the accounts of 93 individual Authy users and registered additional devices to their accounts. Twilio says that it has now removed such devices from accounts.

Okta

Okta has determined that a small number of mobile phone numbers and associated SMS messages containing one-time passwords (OTPs) were accessible to the threat actor via the Twilio console. A one-time password is an automatically generated numeric or alphanumeric string of characters that authenticates a user for a single transaction or login session. OTPs typically expire after a short period (up to one minute).

Okta offers customers a range of authenticators to choose from, including the use of SMS for the delivery of one-time codes. Twilio provides one of two services Okta leverages for customers that choose to use SMS as an authentication factor.

Signal

Signal is an end-to-end encrypted messaging service, similar to WhatsApp or iMessage, but owned and operated by a non-profit foundation. Twilio provides Signal with phone number verification services. As a result of the attack on Twilio, Signal warned that for 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal. These 1,900 users were notified directly, and prompted to re-register.

Signal’s tweet about the Twilio breach

Scatter Swine

The Twilio data breach appears to be part of a larger campaign from hackers that targeted at least 130 organizations, among them MailChimp, Klaviyo, and Cloudflare.

In this campaign, spanning recent months, a number of technology companies were subject to persistent phishing attacks by a threat actor that you will see referred to as Scatter Swine or Oktapus. This threat actor is known to repeatedly target the same organizations with multiple phishing attacks within a matter of hours.

In the Twilio case, the threat actor searched for 38 unique phone numbers in the Twilio console, nearly all of which can be linked to a single targeted organization. A review of logs provided by Twilio revealed that the threat actor was seeking to expand their access. It is likely that the threat actor used credentials previously stolen in phishing campaigns to trigger SMS-based MFA challenges, and used access to Twilio systems to search for OTPs sent in those challenges.

Mitigation

If you are a user of any of the services mentioned above, you should have been notified if your account was affected, but it doesn’t hurt to check the advice and details about the attack on their respective sites.

• Authy: enable or disable Authy multi-device
• Okta: ScatterSwine
• Signal: Twilio incident: what Signal users need to know
• MailChimp: information about a recent security incident targeting crypto companies

One general piece of advice is to be extra vigilant about “new device added” notifications from any provider. This could be a warning signal that a threat actor is trying to intercept 2FA messages or OTPs that are intended for you.

In 1993, the video game developers at id Software released Doom, a first-person shooter that placed a nameless protagonist into the fiery depths of hell, equipped with an arsenal of weapons to mow down imps, demons, lost souls, and the intimidating “Barons of Hell.” 

In 2022, the hacker Sick Codes installed a modified version of Doom on the smart control panel of a John Deere tractor, with the video game’s nameless protagonist this time mowing down something entirely more apt for the situation: Corn.

At DEFCON 30, Sick Codes presented his work to an audience of onlookers at the conference’s main stage. His efforts to run the modified version of Doom, which are discussed in today’s episode of Lock and Code with host David Ruiz, are not just good for a laugh, though. For one specific community, the work represents a possible, important step forward in their own fight—the fight for the “right to repair.” 

“Right to Repair” enthusiasts want to be able to easily repair the things they own. It sounds like a simple ask, but when’s the last time you repaired your own iPhone? When’s the last time you were even able to replace the battery yourself on your smartphone?

The right to repair your equipment, without intervention from an authorized dealer, is hugely important to some farmers. If their tractor breaks down because of a software issue, they don’t want to wait around for someone to have to physically visit their site to fix it. They want to be able to fix it then and there and get on with their work.

So, when a hacker shows off that he was able to do something that wasn’t thought possible on a device that can be notoriously difficult to self-repair, it garners attention.  

Today, we speak with Sick Codes about his most recent work on a John Deere tractor, and how his work represents a follow-up to what he a group of researchers showed last year, when he revealed how he was able to glean an enormous amount of information about John Deere smart tractor owners from John Deere’s data operations center. This time around, as Sick Codes explained, the work was less about tinkering around on a laptop and more about getting phsyical with a few control panels that he found online. 

“It’s kind of like surgery but for metallic objects, if that makes sense. Non-organic material.”

Tune in today to listen to Sick Codes discuss his work, why he did what he did, and how John Deere has reacted to his research. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

In a security incident notice from LastPass the company informed the public know that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account. There is no evidence that this incident involved any access to customer data or encrypted password vaults.

LastPass

LastPass offers a password manager which is reportedly used by more than 33 million people and 100,000 businesses around the world. A password manager is a software application designed to store and manage online credentials. It also generates strong passwords. Usually, these passwords are stored in an encrypted database and locked behind a master password.

Stolen passwords

Because of the nature of their business, a breach notification naturally worries people that the passwords they stored in their password manager may have been leaked or compromised. And indeed here was some speculation on social media that hackers may be able to access the keys to password vaults after stealing source code and proprietary information.

Since your individual passwords are encrypted and locked behind a master password that even LastPass does not know, this worry seems unjustified. In December of 2021, LastPass users reported that their master passwords were compromised after receiving email warnings that someone tried to use them to log into their accounts from unknown locations and devices. LastPass determined that these were the result of a credential stuffing attack. Credential stuffing is a special type of brute force attack where the attacker uses existing username and password combinations, usually ones that were stolen in a data breach on another service.

Random generated passwords

Depending on the source code that was stolen there could be reason to worry about random generated passwords. Since computer systems are unable to come up with truly random numbers, having access to the source code might make it possible to predict the “random” generated passwords.

While that may seen far-fetched, a determined attacker with enough background knowledge about the circumstances under which the password was generated, for example length of the password, date of creation, username and/or email address, which elements are allowed and required, etc., might be able to brute force the password with a lot less guesses, if they know how the randomization part of the password creation is coded in the software.

What to do?

In response to the incident, LastPass deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While the investigation is ongoing, they have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity. 

If you haven’t done so already it is advisable to enable multi-factor authentication (MFA) on your LastPass accounts so that threat actors won’t be able to access your account even if your password is compromised. The instructions to enable MFA can be found on the LastPass Support pages.

We will keep you posted here if there are any updates to the story.

A PDF reader found on Google Play with over one million downloads is aggressively displaying full screen ads, even when the app is not in use. More specifically, the reader is known as PDF reader – documents viewer, package name com.document.pdf.viewer. As a result, this aggressive behavior lands it in the realm of adware. Or as we call it, Android/Adware.HiddenAds.PPMA.

Catching the adware

Catching this adware in real time is a game of install and wait. It takes a couple of hours before the PDF app will display ads. This long delay is in order to make it harder to track down which app is causing the ads. For example, full screen ads displaying immediately after install would likely result in quick a uninstall. With this in mind, I plugged my test phone into my laptop with Android Device Monitor running. Among other tools, Android Device Monitor includes LogCat which logs all activity on an Android mobile device. I then installed PDF reader – documents viewer, package name com.document.pdf.viewer, directly from Google Play. Thus, my waiting game begins the morning of August 22^nd.

To my surprise, at 15:04 I heard my test phone sound a charm. My expectation from previous testing is that it takes longer before an ad displays. Before unlocking the screen, I checked my LogCat logs.

08-22 15:04:55.348: I/ActivityManager(765): START u0 {flg=0x14c00004 cmp=com.document.pdf.viewer/.ads.PPMActivity} from uid 10277

The keyword is ‘START’ in the log. What starts is an Ad SDK. This time, from the PDF reader’s special in-house Ad SDK, com.document.pdf.viewer.ads.PPMActivity.  Unlocking the lock screen, another important log comes in.

08-22 15:04:56.318: I/ActivityManager(765): Displayed com.document.pdf.viewer/.ads.PPMActivity: +942ms

Indeed, looking at the phone there is a full screen ad “displayed.”

Soon after, another Ad SDK starts in the logs.

08-22 15:05:34.227: I/ActivityManager(765): START u0 {flg=0x10000000 cmp=com.document.pdf.viewer/com.facebook.ads.AudienceNetworkActivity (has extras)} from uid 10277

Once again, another ad displays. This time it is a video ad.

08-22 15:05:34.927: I/ActivityManager(765): Displayed com.document.pdf.viewer/com.facebook.ads.AudienceNetworkActivity: +555ms

After the initial ads, they come more frequently. Each time, the start of ads is signified by a charm sounding on the mobile device.  Henceforth, a full screen ad is waiting. Immediately after the first ad is a video ad.

Don’t blame the Ad SDKs

PDF reader uses an array of common Ad SDKs and its own Ad SDK. Facebook Ads is shown in the log above, but we also observed it using Applovin along with others. In addition, it uses an in-house Ad SDK contained in com.document.pdf.viewer.ads.PPMActivity. Although the use of these common Ad SDKs is shown displaying ads, it is not necessarily their fault. The issue is displaying ads where they ought not to be displayed. Any of these ads within the app, whiling using the app, is fair game. Moreover, Ad SDK’s like Applovin and Facebook Ads are necessary to keep apps free on the Play Store. It is only when the ads start displaying outside the app at random that this qualifies as adware. It is the PDF reader app that is wrongfully using these Ad SDKs.

Not all PDF readers are the same

There are many good PDF readers on Google Play. However, this one has some oddities signaling red flags right from the Google Play Store description.

Note the Mature 17+ content rating. For what reason does a PDF reader need a mature rating? Another clue something is not right is the developer’s name of Fairy games. I get diversifying the kinds of apps you provide, but odd developer name for anything other than gaming apps.

Am I infected?

If you are thinking to yourself, “I have a PDF reader installed, am I infected!?” here are a few things to check. Are you receiving full screen ads? If yes, do you have an icon that looks like this?

If you do, you can uninstall from Apps info.

More easily, you can install Malwarebytes for Android and use our free scanner to remove.

Another one slips through

From what we can tell from previous versions of PDF reader – documents viewer, it has existed since November 2021. Each version thereafter serves ads just like the most recent Google Play version. Although we cannot verify if it existed on Google Play since 2021, it is likely the case. If you have a lot of apps installed on your mobile device, this one can very hard to track down. Another reason to not blindly trust you are safe while installing exclusively from Google Play. Even if the Play Store is by far the safest place to install apps on Android, it can fault from time to time as well. Having an anti-malware scanner, or anti-adware in this case, is a good idea. Stay safe out there! 

App Information

Package name: com.document.pdf.viewer

App Name: PDF reader – documents viewer

Developer: Fairy games

MD5: CDA77D85D5B733C89F53254F11F3F372

Google Play URL: https://play.google.com/store/apps/details?id=com.document.pdf.viewer

A former Twitter executive has acted as a whistleblower and alleged some serious problems. Provided these accusations are true, the disclosure shows a side of Twitter that poses a threat to its own users’ personal information, to company shareholders, to national security, and to democracy.

Otherwise known as Mudge, Peiter Zatko is a network security expert, open source programmer, writer, and a hacker. His most recent position was as head of security at Twitter, reporting directly to the CEO. He was the most prominent member of the high-profile hacker think tank the L0pht, as well as the computer and culture hacking cooperative the Cult of the Dead Cow. The L0pht was one of the first viable hackerspaces in the US, and a pioneer of responsible disclosure. Zatko first came to national attention in 1998 when he took part in the first congressional hearings on cybersecurity.

Zatko was fired by Twitter in January for what the company claims was poor performance.

“Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance.”

Major problems

The 2020 Twitter hack was one of the main reasons for Twitter to hire Zatko, who previously held senior roles at Google, Stripe, and the US Department of Defense. When Zatko arrived at Twitter, he said he found a company with extraordinarily poor security practices, including giving thousands of the company’s employees — amounting to roughly half the company’s workforce — access to some of the platform’s critical controls. His disclosure describes his overall findings as “egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy.”

According to Zatko, “it was impossible to protect the production environment. All engineers had access. There was no logging of who went into the environment or what they did…. Nobody knew where data lived or whether it was critical, and all engineers had some form of critical access to the production environment.”

Infrastructure

Twitter’s flimsy server infrastructure is a separate yet equally serious vulnerability, the disclosure claims. About half of the company’s 500,000 servers run on outdated software that does not support basic security features such as encryption for stored data or regular security updates by vendors. Zatko’s letter to a Twitter board member about that issue is included in the disclosure.

The disclosure also claims that Twitter lacks sufficient redundancies and procedures to restart or recover from data center crashes, meaning that even minor outages of several data centers at the same time could knock the entire Twitter service offline.

FTC

In 2010, the Federal Trade Commission (FTC) filed a complaint against Twitter for its mishandling of users’ private information and the issue of too many employees having access to Twitter’s central controls. Zatko alleges that despite the company’s claims to the contrary, it has never been in compliance with what the FTC demanded over ten years ago.

Elon Musk

After recent events, whenever Twitter is mentioned, the name of Elon Musk comes up as well. Musk, who is engaged in a legal battle with Twitter over his attempt to back out of buying the company,  claims that the number of bots on the platform affect the user experience and that having more bots than previously known could therefore impact the company’s long-term value.

According to Zatko’s disclosure, Twitter’s CEO Parag Agrawal tweeted false and misleading statements about Twitter’s handling of bots on the platform. In fact, he stated, deliberate ignorance was the norm amongst the executive leadership team. The reason is simple to understand, a social platform’s value is based on the number of active users, since that is the potential audience for advertising on the platform. Twitter uses a unique metric called monetizable daily active users (mDAU’s) which it says counts all users that could be shown an advertisement on Twitter.

The company has repeatedly said that less than 5% of its mDAUs are fake or spam accounts. But Zatko’s disclosure argues that by reporting bots only as a percentage of mDAU, rather than as a percentage of the total number of accounts on the platform, Twitter obscures the true scale of fake and spam accounts on the service, a move Zatko alleges is deliberately misleading.

Foreign influence

According to the disclosure, Twitter is exceptionally vulnerable to foreign government exploitation in ways that undermine US national security, and the company may even have foreign spies currently on its payroll.

Last year, prior to Russia’s invasion of Ukraine, Agrawal — then Twitter’s chief technology officer — proposed to Zatko that Twitter comply with Russian demands that could result in broad-based censorship or surveillance of the platform, Zatko alleges. While Agrawal’s suggestion was ultimately discarded, it was still an alarming sign of how far Twitter was willing to go in pursuit of growth, according to Zatko.

Zatko’s report is becoming public just two weeks after a former Twitter manager was convicted of spying for Saudi Arabia.

Motivation

By going public, Zatko says, he believes he is doing the job he was hired to do for a platform he says is critical to democracy.

“Jack Dorsey reached out and asked me to come and perform a critical task at Twitter. I signed on to do it and believe I’m still performing that mission.”

Zatko may be eligible for a monetary award from the US government as a result of his whistleblower activities. Original, timely and credible information that leads to a successful enforcement action by the Securities and Exchange Commision (SEC) can earn whistleblowers up to a 30% cut of agency fines related to the action if the penalties amount to more than $1 million, the SEC has said.

The prospect of a reward was not a factor in Zatko’s decision, he said, and in fact he claims he didn’t even know about the reward program when he decided to become a lawful whistleblower.

Deepfakes are back, and causing major problems for people involved in financial circles. Scammers have been targeting people in the cryptocurrency community for some time now. There’s huge money to be made via the act of ripping folks off. Some of it is phishing, other attacks focus on breaking into currency exchanges. A few of these have dabbled in (very poorly done) Elon Musk deepfakes. The clips are bad, the voice an overt mashup of clipped and broken dialogue. All in all: not very convincing.

Well, scammers are back for another go.

Behold the Deepfake hologram

In this case, it’s a deepfake hologram impersonating Patrick Hillmann, Chief Communications Officer (CCO) at Binance. Hillman states that a “sophisticated hacking team” raided the old footage archives. News interviews, TV appearances, anything that they could get their hands on. The aim of the game? To use this footage and create a convincing deepfake.

The Hillmann deepfake was then used in a variety of scenarios to trick people, he said. The scam involved “potential opportunities to list their assets on Binance.com”. At least one incident involves someone ending up in a Zoom call with a “hologram”. We assume this is some sort of old hologram style marketing material repurposed for the bogus Zoom call. Or perhaps the person calling it a hologram is simply unfamiliar with this technology and just calling it a hologram because of that.

Fooling the community

While no footage of these fakes currently exists, Hillmann claims that these calls fooled “several highly intelligent crypto community members”. These individuals no doubt have some sort of familiarity with the people being used in the scam, so they must have been somewhat decently put together. Still: one person’s incredibly convincing deepfake is another person’s Playstation 2 full motion video emulator. Without seeing one of these in action, we may never know for sure.

There is also no word as to which projects were targeted by the scammers, or investment numbers/finance requests. Did anybody make off with some cash? We don’t know.

Avoiding cryptocurrency Deepfake scammers

Here are some tips from Binance in relation to avoiding scams like this one:

• Be vigilant and always take proactive steps to ensure you don’t fall prey to scams and impersonations.

• Use the Binance Verify tool to check whether the account officially represents Binance. Binance Verify isn’t foolproof though, and a scammer could spoof their “from” email address or hide behind the real name of a Binance employee. In both cases, Binance Verify would produce mixed results. 

• Report any suspicious activities or accounts to Binance Support.

On a related note, you can always ask someone you suspect of being a deepfake to turn their head to one side. Your reward will be a horrifying rendering of broken facial structure from the upside-down, or the pangs of social embarrassment felt from accusing someone of being entirely digital. Given the fakery running wild out there at the moment, one would hope the person you’re talking to would understand the need for caution. The choice, as they say, is yours.

GitLab has released versions 15.3.1, 15.2.3, 15.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes, and it’s recommended that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.

GitLab

GitLab and GitHub are open-source code repository platforms allowing anyone to collaborate on projects. GitLab focuses on providing tools for teams working on software development projects (repositories), while GitHub focuses more on managing the workflow of individual developers and organizations. The name GitLab was chosen because it combines GitHub and Lighthouse (the company that develops the source code management system).

GitLab has millions of users worldwide. Since no specific deployment type (omnibus, source code, helm chart, etc.) is mentioned in the release, this means all types are affected.

RCE vulnerability

The main reason to apply this security update as soon as possible is CVE-2022-2884, a Remote Command Execution (RCE) vulnerability in Github import. The vulnerability’s severity was given a CVSS score of 9.9 out of 10.

The vulnerability in GitLab CE/EE affects all versions starting from 11.3.4 before 15.1.5, all versions starting from 15.2 before 15.2.3, all versions starting from 15.3 before 15.3.1. The flaw allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint. By making use of this vulnerability, a threat actor could take control over the server, steal or delete source code, perform malicious commits, and more.

Mitigation

Users are advised to upgrade to the latest security release for their supported version. To update GitLab, see the GitLab update page.

If you’re unable to update right away, you can secure your GitLab installation against this vulnerability using the workaround outlined below until you have time to upgrade.

Disable GitHub import

Login using an administrator account to your GitLab installation and perform the following:

• Click “Menu” -> “Admin”.
• Click “Settings” -> “General”.
• Expand the “Visibility and access controls” tab.
• Under “Import sources” disable the “GitHub” option.
• Click “Save changes”.

Verifying the workaround

• In a browser window, login as any user.
• Click “+” on the top bar.
• Click “New project/repository”.
• Click “Import project”.
• Verify that “GitHub” does not appear as an import option.