This Week In Security: AirBorne, EvilNotify, And Revoked RDP

May 2, 2025 by Jonathan Bennett 2 Comments

This week, Oligo has announced the AirBorne series of vulnerabilities in the Apple Airdrop protocol and SDK. This is a particularly serious set of issues, and notably affects MacOS desktops and laptops, the iOS and iPadOS mobile devices, and many IoT devices that use the Apple SDK to provide AirPlay support. It’s a group of 16 CVEs based on 23 total reported issues, with the ramifications ranging from an authentication bypass, to local file reads, all the way to Remote Code Execution (RCE).

AirPlay is a WiFi based peer-to-peer protocol, used to share or stream media between devices. It uses port 7000, and a custom protocol that has elements of both HTTP and RTSP. This scheme makes heavy use of property lists (“plists”) for transferring serialized information. And as we well know, serialization and data parsing interfaces are great places to look for vulnerabilities. Oligo provides an example, where a plist is expected to contain a dictionary object, but was actually constructed with a simple string. De-serializing that plist results in a malformed dictionary, and attempting to access it will crash the process.

Another demo is using AirPlay to achieve an arbitrary memory write against a MacOS device. Because it’s such a powerful primative, this can be used for zero-click exploitation, though the actual demo uses the music app, and launches with a user click. Prior to the patch, this affected any MacOS device with AirPlay enabled, and set to either “Anyone on the same network” or “Everyone”. Because of the zero-click nature, this could be made into a wormable exploit. Continue reading “This Week In Security: AirBorne, EvilNotify, And Revoked RDP” →

FLOSS Weekly Episode 831: Let’s Have Lunch

April 30, 2025 by Jonathan Bennett No comments

This week, Jonathan Bennett and Dan Lynch chat with Peter van Dijk about PowerDNS! Is the problem always DNS? How did PowerDNS start? And just how big can PowerDNS scale? Watch to find out!

Continue reading “FLOSS Weekly Episode 831: Let’s Have Lunch” →

This Week In Security: XRP Poisoned, MCP Bypassed, And More

April 25, 2025 by Jonathan Bennett 7 Comments

Researchers at Aikido run the Aikido Intel system, an LLM security monitor that ingests the feeds from public package repositories, and looks for anything unusual. In this case, the unusual activity was five rapid-fire releases of the xrpl package on NPM. That package is the XRP Ledger SDK from Ripple, used to manage keys and build crypto wallets. While quick point releases happen to the best of developers, these were odd, in that there were no matching releases in the source GitHub repository. What changed in the first of those fresh releases?

The most obvious change is the checkValidityOfSeed() function added to index.ts. That function takes a string, and sends a request to a rather odd URL, using the supplied string as the ad-referral header for the HTML request. The name of the function is intended to blend in, but knowing that the string parameter is sent to a remote web server is terrifying. The seed is usually the root of trust for an individual’s cryptocurrency wallet. Looking at the actual usage of the function confirms, that this code is stealing credentials and keys.

The releases were made by a Ripple developer’s account. It’s not clear exactly how the attack happened, though credential compromise of some sort is the most likely explanation. Each of those five releases added another bit of malicious code, demonstrating that there was someone with hands on keyboard, watching what data was coming in.

The good news is that the malicious releases only managed a total of 452 downloads for the few hours they were available. A legitimate update to the library, version 4.2.5, has been released. If you’re one of the unfortunate 452 downloads, it’s time to do an audit, and rotate the possibly affected keys. Continue reading “This Week In Security: XRP Poisoned, MCP Bypassed, And More” →

FLOSS Weekly Episode 830: Vibes

April 23, 2025 by Jonathan Bennett 4 Comments

This week, Jonathan Bennett and Randal Schwartz chat with Allen Firstenberg about Google’s AI plans, Vibe Coding, and Open AI! What’s the deal with agentic AI, how close are we to Star Trek, and where does Open Source fit in? Watch to find out!

Continue reading “FLOSS Weekly Episode 830: Vibes” →

This Week In Security: No More CVEs, 4chan, And Recall Returns

April 18, 2025 by Jonathan Bennett 7 Comments

The sky is falling. Or more specifically, it was about to fall, according to the security community this week. The MITRE Corporation came within a hair’s breadth of running out of its contract to maintain the CVE database. And admittedly, it would be a bad thing if we suddenly lost updates to the central CVE database. What’s particularly interesting is how we knew about this possibility at all. An April 15 letter sent to the CVE board warned that the specific contract that funds MITRE’s CVE and CWE work was due to expire on the 16th. This was not an official release, and it’s not clear exactly how this document was leaked.

Many people made political hay out of the apparent imminent carnage. And while there’s always an element of political maneuvering when it comes to contract renewal, it’s worth noting that it’s not unheard of for MITRE’s CVE funding to go down to the wire like this. We don’t know how many times we’ve been in this position in years past. Regardless, MITRE has spun out another non-profit, The CVE Foundation, specifically to see to the continuation of the CVE database. And at the last possible moment, CISA has announced that it has invoked an option in the existing contract, funding MITRE’s CVE work for another 11 months.

Continue reading “This Week In Security: No More CVEs, 4chan, And Recall Returns” →

FLOSS Weekly Episode 829: This Machine Kills Vogons

April 16, 2025 by Jonathan Bennett No comments

This week, Jonathan Bennett chats with Herbert Wolverson and Frantisek Borsik about LibreQOS, Bufferbloat, and Dave Taht’s legacy. How did Dave figure out that Bufferbloat was the problem? And how did LibreQOS change the world? Watch to find out!

Continue reading “FLOSS Weekly Episode 829: This Machine Kills Vogons” →

This Week In Security: AI Spam, SAP, And Ivanti

April 11, 2025 by Jonathan Bennett 13 Comments

AI continues to be used in new and exciting ways… like generating spam messages. Yes, it was inevitable, but we now have spammers using LLM to generate unique messages that don’t register as spam. AkiraBot is a Python-powered tool, designed to evade CAPTCHAs, and post sketchy SEO advertisements to web forms and chat boxes around the Internet.

AkiraBot uses a bunch of techniques to look like a legitimate browser, trying to avoid triggering CAPTCHAs. It also runs traffic through a SmartProxy service to spread the apparent source IP around. Some captured logs indicate that of over 400,000 attempted victim sites, 80,000 have successfully been spammed.

Continue reading “This Week In Security: AI Spam, SAP, And Ivanti” →

Hackaday

Author: Jonathan Bennett

479 Articles

This Week In Security: AirBorne, EvilNotify, And Revoked RDP

FLOSS Weekly Episode 831: Let’s Have Lunch

This Week In Security: XRP Poisoned, MCP Bypassed, And More

FLOSS Weekly Episode 830: Vibes

This Week In Security: No More CVEs, 4chan, And Recall Returns

FLOSS Weekly Episode 829: This Machine Kills Vogons

This Week In Security: AI Spam, SAP, And Ivanti

Search

Never miss a hack

If you missed it

Optical Contact Bonding: Where The Macro Meets The Molecular

What Happened To WWW.?

Libogc Allegations Rock Wii Homebrew Community

A Gentle Introduction To COBOL

The DIY 1982 Picture Phone

Our Columns

Supercon 2024: A Hacker’s Guide To Analog Design In A Digital World

Keebin’ With Kristina: The One With The Bobblehead

Hackaday Links: May 4, 2025

Knowing What’s Possible

Supercon 2024: Turning Talk Into Action

Search

Never miss a hack

Subscribe

If you missed it

Our Columns