Huge Vulnerability in WordPress 4.8

Anthony Ferrara discovered a significant security vulnerability and an even more fundamental security flaw in WordPress.

The correct fix is to ditch this whole prepare mechanism (which returns a string SQL query). Do what basically everyone else does and return a statement/query object or execute the query directly. That way you can’t double-prepare a string.

It’s worth saying that this would be a major breaking change for WP. One that many other platforms have done successfully (PHPBB did this exact thing, and went from having massive SQL Injection vulnerabilities to almost none).

WordPress has made great strides in modernizing  and hardening core. I really had no idea WPDB was still in the dark ages! For shame!

Read his post for all the gory details.

Facebook Security Force

A neat little tidbit about Facebook security in this post from The Verge. Good Guy Facebook proactively scans lists of hijacked account and warns users if they appear on one of these lists.

Facebook cross references credential dumps with its entire database of user credentials, then alerts any users that match to change their passwords. By signing up for Facebook, you’ve inadvertently entered yourself into its witness protection program, of sorts. During events like the Gawker credentials leak or Playstation Network security breach last year, Facebook alerted users if their passwords were on the loose.

via The Verge

How To: Hack Into OS X Lion

Yesterday one of two things happened, either a) I completely an entirely forgot my OS X login password or b) OS X refused to accept my password. I have no way of knowing which was the case, but regardless, I was unable to access my computer.

I almost had a major meltdown, until Google informed me that OS X Lion is horribly insecure! Horribly, horribly insecure.

You can gain access to (almost) anyone’s Lion account in 3 simple steps.

  1. Restart the machine in recovery mode by holding down cmd+r on reboot.
  2. Open terminal in the utilities menu.
  3. Type `resetpassword`.
Voila.
Am I missing something? Is this not as bad as I think it is?

Assault on the Hash (or how to make secure your passwords)

In a recent episode of Build & Analyze Marco Armet (creator of Instapaper) explained that the standard practice of salting a hash is no longer a really good way to secure passwords. CPUs (and GPUs) are so fast that they can effectively guess your salt in a reasonable amount of time*.

The solution, use bcrypt. Essentially, it’s an extremely slow hashing algorithm.

To me this seems a little bit like security through obscurity, every once in awhile – as CPU speed increases – you’ll have to update your algorithm to generate hashes even slower.

See also.

*A modern server can calculate over 300MB of hash data per second!

How To Use Your iPhone to Stalk Yourself

It looks like the privacy hippies were finally right about something, your mobile phone really is a pocket sized tracking device.

Turns out that as of iOS 4.0, iPhones have been tracking your physical movements and logging it along with the phone’s backups.

A small team of researchers have discovered these logs in iTune’s backup files, they’ve released a handy little app that collects all the data from your user folder and plots it on a map. iPhoneTracker.app and further information available here.

Here is the visualization of everywhere I’ve been since Sept 28, 2010:

You can see lots of activity in and around Winnipeg (including trips up to the Gimli and Victoria Beach), a flight to Toronto and subsequent travel around southern Ontario and a road trip to Minneapolis. It’s fascinating.

I’m not sure if this is a terrifying privacy hole or a neat little hidden feature. I’m leaning towards neat feature, since the data is stored locally on your computer and can be encrypted automatically by iTunes.

At this point in time a method for disabling the “feature” does not exist. I expect Apple will be responding in short order.