Security Pills - Issue 29
Web Hackers vs The Auto Industry, Security in the Age of LLMS, Circom-Pairing: A Million-Dollar Zk Bug Caught Early.
Release Date: 9th January 2022 | Issue: 29 | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.
Would you like to become a sponsor for our newsletter?
Our mission is to highlight security-related news with a focus on appsec, mobile and smart-contracts while we help people staying up to date with this corner of the industry.
If you are interested, reach out to hell[email protected] with your ad idea to get started!
Hey everyone, hope you had a great week. 👋,
In the first week of the year, Sam Curry and others published their research on different vehicle telematic systems, with vulnerabilities found if almost every single car manufacturer. pwning.eth has reported another critical bug which impacted the Poladkot ecosystem, probing the possibility of minting valid but depegged wrapped tokens. Andrew Hong, from Dune Analytics, has written extensive articles explaining how Ethereum maps to Dune's tables and has shared multiple examples for all the basic SQL you can use.
These and more articles, are available on today's newsletter, enjoy.
- Articles: The GPT-3 Architecture on a Napkin, Security in the Age of LLMs, Prototype Pollution in Python, Bypassing Firewalls with of-CORs and typo-squatting, SSRF Vulnerabilities Caused by SNI Proxy Misconfigurations, Top 10 Web Hacking Techniques of 2022, How to Start Analyzing Any Web3 Protocol or Product Using SQL, 2022 Blockchain Security and AML Analysis Annual Report, Getting Started with Phalcon 2.0, Using Foundry to Explore Upgradeable Contracts Pt. 1, A Basic Wizard Guide to Dune SQL and Ethereum Data Analytics, Guide to Web3 Data Tools, Reverse Engineering Yet Another Book Format.
- Bug Bounty & Vulnerabilities: Web Hackers vs The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche and More, Circom-Pairing: A Million-Dollar ZK Bug Caught Early, Moonbeam Astar and Acala Library Truncation: BugFix Review, Frozen Heart Vulnerability, A Vulnerability Perspective Analysis of Move Language Security, I Scanned Every Package on PyPi and Found 57 Live AWS Keys, How Was GDS Chain Hacked?
- Videos: Beware of this Crypto Scam, ZK Vulnerability: Frozen Heart, I Hope This Sticks Analyzing ClipboardEvent Listeners for XSS, From NSO Group: Hacker to Web3 Security Researcher.
- Repositories: rustle, solsec, awesome-foundry, iCDump, of-CORs, aws-creds-scanner
- Tags used in this issue: #AI, #analytics, #appsec, #blockchain, #cloud, #reverse-engineering, #smart-contract
The GPT-3 Architecture on a Napkin #AI
Article that aims to build an as detailed as possible understanding of the GPT-3 architecture.
Security in the Age of LLMs #AI
Article on how threat modeling and detection will drastically change in the age of AI/LLMs.
Prototype Pollution in Python #appsec
Research that aims to prove the possibility of having a variation of Prototype Pollution in other programming languages, including those that are class-based by showing Class Pollution in Python.
Bypassing Firewalls with of-CORs and typo-squatting #appsec
Research on how to attack internal applications without performing lateral movement or social engineering, just using a misconfiguration on CORs and typo-squatting.
SSRF Vulnerabilities Caused by SNI Proxy Misconfigurations #appsec
SNI proxies are load balancers that use the SNI extension field to select backend systems. When misconfigured, SNI proxies can be vulnerable to SSRF attacks that provide access to web application backends.
Top 10 Web Hacking Techniques of 2022 #appsec
Every year, security researchers share their latest findings with the community in a firehose of presentations, white-papers and blog posts. While every post is valuable, some contain something special - innovative ideas and techniques that can be re-applied elsewhere.
Portswigger has opened the nominations for the top 10 new web hacking techniques of 2022. Check them out on this article.
How to Start Analyzing Any Web3 Protocol or Product Using SQL #analytics, #blockchain
Protocol contract structures and flows all vary wildly, and learning solidity patterns is not necessarily easy. Figuring out what functions/events from what contracts to analyze is tough, and finding example transactions can be time consuming. Andrew has created a Dune dashboard to make every analyst life easier and has authored this article that deep-dive into each section of the dashboard.
Getting Started with Phalcon 2.0 #analytics, #blockchain
Phalcon is a powerful transaction explorer designed for DeFi community. It provides comprehensive data on invocation flow, balance changes, and fund flows for transactions. It also supports transaction simulation.
This article aims to introduce the various features and functions of Phalcon, using for that a transaction on the Ethereum blockchain.
A Basic Wizard Guide to Dune SQL and Ethereum Data Analytics #analytics, #blockchain
In this article Andrew explains how Ethereum maps to Dune's tables and provides use case examples for all the basic SQL needed to become a data wizard.
Guide to Web3 Data Tools #analytics, #blockchain
Article from Andrew Hong that covers all the top data tools and how they are used from a data analysts perspective.
2022 Blockchain Security and AML Analysis Annual Report #blockchain
This report takes a close look at the major events in the blockchain industry that took place in 2022. It provides an overview of the security status of each area within the industry and delves into common attack techniques. Additionally, it uncovers a few phishing techniques and analyzes the flow of stolen funds in some security incidents. To round things off, the report introduces an advanced method for tracking coin mixer funds through a comprehensive analysis.
Using Foundry to Explore Upgradeable Contracts Pt. 1 #blockchain
Making contracts upgradeable offers a lot of flexibility, but also it adds certain complexities to the code, as you need to circumvent Solidity's type system, which causes the compiler's ability to catch mistakes to be severely limited.
This post is the first in a two-part series and will deep-dive into how upgradeable contracts can be implemented and what can go wrong.
Reverse Engineering Yet Another Book Format #reverse-engineering
Nemanja Mijailovic on how to reverse engineer the DRM used by Human Kinetics, and obtain a legal copy of the EPUB.
Web Hackers vs The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More #appsec
Research on different automobile manufacturers and security issues identified in their API endpoints used by the vehicle telematics systems.
Circom-Pairing: A Million-Dollar ZK Bug Caught Early #blockchain
Analysis of a critical security issue discovered in the circom-pairing library, which could have allowed attackers to forge signatures. The circom-pairing library is a circom implementation of elliptic curve pairings, which enables Zero-Knowledge (ZK) systems to verify signatures over the BLS12-381 curve.
Frozen Heart Vulnerability #blockchain
Details on the Frozen Heart security vulnerability, caused to an improper implementation of the Fiat-Shamir hash computation algorithm.
A Vulnerability Perspective Analysis of Move Language Security - Proposal Attack | Contract Upgrade Vulnerability #blockchain
An analysis on the proposal attack that affects smart contracts written in the Move language. The SharkTeam has also written about the contract upgrade vulnerability.
I Scanned Every Package on PyPi and Found 57 live AWS Keys #cloud
Tom Forb has scanned every package published to PyPi and found 57 valid accesses keys from organizations like Amazon, Intel and the Australian Government, among others.
This article outlines the tool built by Tom to automatically scan all new PyPi releases and presents some analysis of the keys found.
Moonbeam, Astar, and Acala Library Truncation Bugfix Review #smart-contract
On June 27th, pwning.eth submitted a critical bug report that impacted the Polkadot ecosystem via Immunefi, demonstrating the possibility of minting valid but depegged wrapped tokens.
The estimated potential damage from the vulnerability amounted to approximately $200m across the Moonbeam, Astar Network and Acala projects.
How Was GDS Chain Hacked? - Neptune Mutual | QuillAudits #smart-contract
On January 03, 2022, the GDS Chain was exploited via a flash loan attack, resulting in a loss of approximately $187,000 and the price of the GDS token dropped from $0.5 to $0.1.
🙏 Support us
Enjoy reading the Security Pills newsletter? Consider sponsoring our next edition or buying me a coffee.
You can also share us with your friends and follow us on Twitter.
- Beware of this Crypto Scam — Junion observed that zero USDT tokens were transferred mysteriously out of his wallet. These zero token transfers are all a part of an elaborate scam that has stolen over 5 million dollars.
- ZK Vulnerability - Frozen Heart — D-Squared focuses on a ZK vulnerability called 'Frozen Heart', which was discovered by Trail of Bits.
- I Hope This Sticks" Analyzing ClipboardEvent Listeners for XSS — Talk given by spaceraccoon during NahamCon2022 EU.
- From NSO Group Hacker to Web3 Security Researcher — An interview with Trust, ex-NSO Group hacker turned web3 bounty hunter and independent security researcher. In just under a year, Trust has rocketed to the top of the code4rena leaderboard, and has made waves on both code4rena and Immunefi.
- blocksecteam/rustle — Rustle is an automatic static analyzer for NEAR smart contracts in Rust.
- 0xsanny/solsec — A collection of resources to study Solana smart contract security, auditing, and exploits.
- crisgarner/awesome-foundry — A curated list of awesome of the Foundry development framework.
- romainthomas/iCDump — A modern Objective-C class dump based on LIEF and LLVM.
- trufflesecurity/of-CORS — Truffle Security's tool suite for identifying and exploiting CORS misconfigurations on the internal network of bug bounty targets using typo-squatting.
- orf/aws-creds-scanner — This tool scans PyPi, Rubygems and Hexpm packages for AWS keys.
📧 Wrapping up
If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.
@0xroot | @secpillsnews