Google warns of unauthorized TLS certificates trusted by almost all OSes [Updated]

In the latest security lapse involving the Internet's widely used encryption system, Google said unauthorized digital certificates have been issued for several of its domains and warned misissued credentials may be impersonating other unnamed sites as well.

The bogus transport layer security certificates are trusted by all major operating systems and browsers, although a fall-back mechanism known as public key pinning prevented the Chrome and Firefox browsers from accepting those that vouched for the authenticity of Google properties, Google security engineer Adam Langley wrote in a blog post published Monday. The certificates were issued by Egypt-based MCS Holdings, an intermediate certificate authority that operates under the China Internet Network Information Center (CNNIC). The Chinese domain registrar and certificate authority, in turn, is included in root stores for virtually all OSes and browsers.

The issuance of the unauthorized certificates represents a major breach of rules established by certificate authorities and browser makers. Under no conditions are CAs allowed to issue certificates for domains other than those legitimately held by the customer requesting the credential. In early 2012, critics blasted US-based CA Trustwave for doing much the same thing, and Langley noted an example of a France-based CA that has also run afoul of the policy.

Read 7 remaining paragraphs | Comments

Chrome for Mac no longer crashes when loading strings that can’t be named

Users of Google Chrome for Mac are no longer vulnerable to strings of foreign-language characters that for more than six weeks triggered crashes each time the browser attempted to render them.

The forbidden three-character string was reported in February on Google's official Chromium developer site. To prevent her Mac-based version of Chrome from crashing before the bug report could be posted, the author uploaded the enigmatic string here. Sure enough, when opened with most versions of Chrome for OS X, the characters caused the tab to crash and display the familiar "Aw, Snap!" error message.

Late last week, reports of the denial-of-service string that must not be named emerged again. When viewed in TweetDeck and Apple's Safari browser, the string appeared as a series of rectangles that had no visible effect on the functioning of the applications. But when rendered in Chrome for Mac, the string immediately triggered the crash and error message.

Read 4 remaining paragraphs | Comments

Yasca – Multi-Language Static Analysis Toolset

Yasca is an open source program which looks for security vulnerabilities, code-quality, performance, and conformance to best practices in program source code. It’s basically a tool-kit for multi-language static analysis. Yasca can scan source code written in Java, C/C++, HTML, JavaScript, ASP, ColdFusion, PHP, COBOL, .NET, and other...

Read the full post at

Hilton website flaw let hackers hijack any Honor member’s account

Hilton Hotels & Resorts has patched a gaping hole in its website that let anyone with a Hilton Honors account hack another account simply by knowing or guessing its 9-digit number. All an attacker had to do, according to security experts Brandon Potter and JB Snyder of consulting and testing firm Bancsec, was log in to any Hilton Honors account, alter some of the HTML content, and reload the page.

The story was broken in an article published Monday on KrebsOnSecurity. Krebs wrote:

After that, they could see and do everything available to the legitimate holder of that account, such as changing the account password; viewing past and upcoming travel; redeeming Hilton Honors points for travel or hotel reservations worldwide; or having the points sent as cash to prepaid credit cards or transferred to other Hilton Honors accounts. The vulnerability also exposed the customer’s email address, physical address, and the last four digits of any credit card on file.

I saw this vulnerability in action after giving Snyder and Potter my own Hilton Honors account number, and seconds later seeing screen shots of them logged into my account. Hours after this author alerted Hilton of the discovery, the Hilton Honors site temporarily stopped allowing users to reset their passwords. The flaw they discovered now appears to be fixed.

"Hilton Worldwide recently confirmed a vulnerability on a section of our Hilton HHonors website, and we took immediate action to remediate the vulnerability,” Hilton wrote in an emailed statement. “As always, we encourage Hilton HHonors members to review their accounts and update their online passwords regularly as a precaution. Hilton Worldwide takes information security very seriously and we are committed to safeguarding our guests’ personal information."

Snyder said the problem stemmed from a common Web application weakness called a cross-site request forgery (CSRF) vulnerability, a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

The CSRF flaw was doubly dangerous because Hilton’s site didn’t require logged-in users to re-enter their current passwords before picking a new one.

Making matters worse, a PIN reset page on the Hilton website readily told visitors whether a specific nine-digit combination was a valid account number. Attackers could have used the page to generate a list of valid account numbers and then accessed each one using the CSRF vulnerability. Ironically, the vulnerability was discovered through a recent Hilton campaign that awarded 1,000 free awards points to people who changed their online password prior to April 1, after which the change was to become mandatory.

Read on Ars Technica | Comments