There’s a constant tension between governments looking for easier ways to catch criminals, companies looking to actually protect their users’ privacy, and individuals who just want their data to be truly private. The UK government has issued an order that threatens to drastically change this landscape, at least when it comes to Apple’s iCloud backups. The order was issued in secret, and instructed Apple to provide a capability for the UK officials to access iCloud backups that use the Advanced Data Protection (ADP) system. ADP is Apple’s relatively new end-to-end encryption scheme that users can opt-into to make their backups more secure. The key feature here is that with ADP turned on, Apple themselves don’t have access to decrypted user data.

If this order wasn’t onerous enough, it seems to explicitly include all ADP-protected data, regardless of the country of origin. This should ring alarm bells. The UK government is attempting to force a US company to add an encryption backdoor to give them access to US customer data. Cryptographer [Matthew Green] has thoughts on this situation. One of the slightly conspiratorial theories he entertains is that portions of the US government are quietly encouraging this new order because the UK has weaker protections against unreasonable search and seizure of data. The implication here is that those elements in the US would use this newfound UK data access capability to sidestep Fourth Amendment protections of citizens’ data. This doesn’t seem like much of a stretch.

[Matthew] does have a couple of suggestions. The first is passing laws that would make it illegal for a US company to add backdoors to their systems, specifically at the request of foreign nations. We’ve seen first-hand how such backdoors can backfire once accessed by less-friendly forces. In an ironic turn of fate, US agencies have even started recommending that users use end-to-end encrypted services to be safe against such backdoors. Technically, if this capability is added, the only recourse will be to disable iCloud backups altogether. Thankfully Apple has pushed back rather forcefully against this order, threatening to simply turn off ADP for UK users, rather than backdoor the rest of the world. Either way, it’s a scary bit of overreach.

Github Actions Can Be Dangerous

This is a bit of tag-team research between [Lupin] and [Snorlhax]. The pair went from competitors on the French Hackerone leaderboard, to co-conspirators looking for bugs. And this is the story of finding the big one. The pair went searching for flaws at a specific unnamed company, and found a docker image that contained an entire copy of some proprietary server-side code. That was certainly worthy of a bug bounty, but there was more. The .git folder hadn’t been properly scrubbed, and contained a token from a Github Actions run. That probably shouldn’t be a problem, as these tokens expire at the end of the run. But our protagonists found something interesting: a race condition where the docker image gets uploaded before the action completes. (Here is Palo Alto’s independent discovery and coverage.)  And that wasn’t even the big find from this research.

The big find was a quirk of Docker images. The build process creates a .npmrc file in the Docker image, which contains an npm token for publishing packages. That file is deleted as part of the Docker image finalization. But Docker images are more complicated that simple file archives. They are made up of layers, and “Each instruction in a Dockerfile (such as FROM, COPY, RUN, etc.) creates a new layer.” That’s an incredibly important concept, because Docker images are like onions: You can peel back the layers, and they can make you cry.

The build process for this Docker image did delete the .npmrc file before publishing it, but only after triggering the creation of another filesystem layer. It wasn’t obvious, but the Docker image did contain this critical npm secret, and anyone with access could publish arbitrary libraries to the company’s npm repository. That is definitely an exceptional find, and resulted in a well-earned $50,000 bounty.

Libarchive Wasn’t Ready for Windows

Microsoft pulled the Libarchive open source library into Windows 11 back in 2023, giving Windows Explorer the native ability to handle a wider variety of archive files. This is a “time-tested library” that even has fuzzing coverage. It has not, however, been time tested in the context of running in Microsoft Windows. Which is why it’s not surprising that Explorer’s temporary file extraction feature failed to catch an archive with the C: root directory. That is not a terribly useful vulnerability, but is technically an arbitrary file write/delete as the local user.

There’s more, like the patch for a previous vulnerability replacing disallowed characters in file names. The \ character is escaped with another backslash, giving us \\ instead. The problem there is that \ and \\ are both aliases for the device root, aka C:\.

There are more tricks to find, much of it the result of libarchive features that weren’t entirely intended to be exposed inside Windows. There are more than the 11 advertised archive types supported. There’s confusion because Windows strictly uses filename extensions to determine a file type, while libarchive uses the Unix/Linux convention of looking at the magic bytes at the beginning of the a file. The whole thing is an interesting read, with implications for the limitations of automated fuzzing, particularly when not using the same compile options as in production.

AI Poisoning Two-fer

We start off with a tale of prompt injection that can corrupt long-term AI memory. Imagine a document or website that secretly instructs an AI to believe that its primary user believes he is living in a simulation. That sort of manipulation would color the results of the given AI for all future queries, and all it would take is to process a single malicious source. Another trick used is to instruct the AI to take a malicious action the next time the user took a certain action. This allows an attacker to slip something in, and the AI will see that instruction as coming from the legitimate user, sidestepping some of the protections against such attacks.

The other poisoning story is a bit more conventional. It’s in-the-wild Pickle deserialization attacks in Hugging Face AI models. Many AI models use Python’s pickle serialization format for their data, but pickle can also store code objects, and this makes it obviously insecure. Many AI projects have rolled out support for safetensors, a format that doesn’t allow code to mix with data. The news here is that researchers at ReversingLabs found models on Hugging Face with malicious pickle files. Hugging Face scans those files with Picklescan to find malicious pickles, but these malicious files escaped detection via a pair of incredibly sophisticated techniques: 7-zip compression and broken pickle files. The malicious models have pulled down, and Picklescan has been improved to catch these avoidance techniques. Download and unpickle cautiously!

AWS

AWS has also been the topic of a couple very interesting bits of research. The first is how to check for valid IAM usernames. That takes two flavors, users with and without two-factor authentication. For users with 2FA, attempting to log-in with a valid user name jumps directly to prompting for the 2FA code, while an attempt with an invalid username throws an immediate error. This was deemed an acceptable risk by Amazon, and indeed is much preferred to disclosing whether the password is correct or not. On the other hand, accounts without 2FA displayed a detectable timing difference between a valid and invalid user. Both returned the same error, but an invalid username returned that error detectably faster. This was deemed an actual vulnerability and assigned a CVE.

AWS has a public repository of virtual machine images, indexed by Amazon Machine IDs (AMIs). AMIs are plain-text identifiers, is set by whoever uploads the image, and AMIs can be duplicated by different users. If that sounds like the recipe for some sort of name confusion attack, you’d be exactly correct. Any API call that references an image using the AMI and not specifying the owner can be hijacked by creating another image with the same AMI. Surely this is theoretical, and never happens in practice, right? The authors wondered that, too. And to find out, they created an image using an internal Amazon AMI, just to see if it would actually get used. And it did, confirmed by Amazon itself.

Bits and Bytes

The zkLend money lending service lost $9.5 million in an interesting cryptocurrency heist. This decentralized finance system uses Ethereum smart contracts to deposit and lend money. A rounding error in one of those smart contracts allowed an attacker to siphon money off of multiple transactions. zkLend has made a public offer to the attacker that they can keep 10% of the total as a bounty, if they return the other 90%. This would be in exchange for not considering the action theft and informing law enforcement.

At least one Swatting as a Service (SaaS?) offering is finally offline. Alan Filion ran a swatting service for nearly two years, committing the potentially deadly crime a staggering 375 times. While it’s a good thing that his reign of terror has finally ended, the paltry 48-month prison sentence is shamefully short in my opinion.

Sitevision is the content management system that seems to run most of the Swedish government. And for more than two years, it’s had a really nasty footgun in the intersection between WebDav, SAML, and Java keystores. To put it simply, the https:///webdav/files/saml-keystore endpoint on multiple Sitevision sites contained the public and private keys for SAML authn requests, encrypted with a random 8-character alphanumeric password. It’s not quite the entire keys to the kingdom, but still not something you really want to leak.

I warn new Linux users all the time not to copy instructions from the Internet into their bash terminals without understanding what the commands actually do. It turns out that this is not just a Linux problem, as that’s the exact attack that North Korean attackers used against a handful of targets. “To register your device, please paste the commands below into an admin PowerShell prompt.” No thank you.