Stories with Tag software vulnerabilities

• Technical Analysis – Improper Use of Private iOS APIs in Vietnamese Banking Apps

  permalink

  Posted: 2025-03-28 07:04:01

  Verbose tl;dr

  Verichains' analysis reveals that several Vietnamese banking apps improperly use private iOS APIs, potentially jeopardizing user security and app stability. These apps employ undocumented functions to gather device information, bypass sandbox restrictions, and manipulate UI elements, likely in pursuit of enhanced functionality or anti-fraud measures. However, reliance on these private APIs violates Apple's developer guidelines and creates risks, as these APIs can change without notice, leading to app crashes or malfunctions. Furthermore, this practice exposes users to potential security vulnerabilities that malicious actors could exploit. The report details specific examples of private API usage within these banking apps and emphasizes the need for developers to adhere to official guidelines for a safer and more reliable user experience.

  Verichains' blog post, "Technical Analysis – Improper Use of Private iOS APIs in Vietnamese Banking Apps," details a security vulnerability discovered within several prominent Vietnamese banking applications for iOS. The core issue stems from these apps' utilization of private, undocumented APIs within the iOS operating system. While Apple provides a robust and well-defined set of public APIs for developers to interact with iOS functionalities, these private APIs are not officially supported and are subject to change or removal without notice. Relying on these internal mechanisms creates a precarious situation for both the application developers and, more importantly, the end-users.

  The post meticulously outlines how Verichains researchers identified this vulnerability by conducting a thorough analysis of several popular Vietnamese banking apps. They explain that the use of private APIs exposes these applications to several potential risks. Firstly, because these APIs are undocumented, their behavior and functionality can be altered or completely removed in future iOS updates. This can lead to unexpected application crashes, malfunctions, or even complete breakdowns in functionality when users update their devices. Secondly, and perhaps more concerning, the use of private APIs can potentially create security loopholes that malicious actors can exploit. Since these APIs are not vetted through the same rigorous public review process as public APIs, they may contain undisclosed vulnerabilities that can be leveraged to compromise user data or gain unauthorized access to sensitive information.

  The researchers further elaborate on the specific private APIs being misused, including those related to obtaining device information and network status. They demonstrate how these APIs are being employed by the banking apps and explain the potential security implications of each specific instance. The post also includes technical details, such as code snippets and analysis of the apps' internal workings, to substantiate their findings and provide a clear understanding of the vulnerability's technical aspects.

  Verichains emphasizes the severity of these vulnerabilities, highlighting the potential for significant user data breaches and financial losses should these weaknesses be exploited. The blog post concludes by advocating for increased awareness and vigilance amongst developers regarding the proper use of iOS APIs. It urges developers to strictly adhere to Apple's official guidelines and avoid utilizing private APIs in their applications, emphasizing the importance of prioritizing secure and stable app development practices to safeguard user data and maintain the integrity of their applications. This proactive approach, they argue, is crucial for mitigating potential risks and ensuring the long-term security and functionality of iOS applications, particularly within sensitive sectors like banking and finance.

  • iOS
  • Mobile Security
  • Banking Security
  • API Misuse
  • Private APIs
  • Vietnam
  • App Security
  • technical analysis
  • software vulnerabilities
  • Reverse Engineering

  Summary of Comments ( 7 )
  https://news.ycombinator.com/item?id=43502385

  Verbose tl;dr

  Several Hacker News commenters discuss the implications of the Verichains blog post, focusing on the potential security risks of using private APIs. Some express surprise at the prevalence of this practice, while others point out that using private APIs is a common, though risky, way to achieve certain functionalities not readily available through public APIs. The discussion touches on the difficulty of Apple enforcing its private API rules, particularly in regions like Vietnam where regulatory oversight might be less stringent. Commenters also debate the ethics and pragmatism of this practice, acknowledging the pressure developers face to deliver features quickly while also highlighting the potential for instability and security vulnerabilities. The thread includes speculation about whether the use of private APIs is intentional or due to a lack of awareness among developers.

  The Hacker News post titled "Technical Analysis – Improper Use of Private iOS APIs in Vietnamese Banking Apps" has generated several comments discussing the implications of the article's findings.

  Several commenters focused on the security risks associated with using private APIs. One commenter highlights the potential for malicious apps to exploit these same private APIs, potentially bypassing security measures or accessing sensitive user data. They mention the "walled garden" approach of iOS and how circumventing it introduces vulnerabilities. Another commenter reinforces this by pointing out that Apple explicitly warns against using private APIs, and doing so can lead to app rejection from the App Store. They express concern that these banking apps were able to get through the review process despite this violation.

  The discussion also touches on the motivations behind using private APIs. One commenter speculates that developers might resort to private APIs due to limitations or perceived deficiencies in the public APIs provided by Apple. They suggest that this situation highlights a potential gap in functionality offered by official means. Another commenter cynically suggests that the developers might be knowingly taking shortcuts to achieve desired functionality without going through proper channels or investing in more robust solutions.

  A few commenters discuss the implications for users of these banking apps. One expresses concern about the potential for data breaches or other security compromises due to the use of these private APIs. Another commenter questions the overall security posture of these Vietnamese banks, suggesting a lack of due diligence in their app development practices.

  The conversation also drifts towards the broader issue of private API usage and app store review processes. One commenter questions the effectiveness of Apple's app review process in catching these violations. Another commenter mentions the cat-and-mouse game between developers trying to use private APIs and Apple trying to prevent them. They note that this is an ongoing issue and that developers often find creative ways to circumvent the restrictions.

  Finally, one commenter questions the severity of the issue, suggesting that the specific private APIs mentioned in the article might not pose a significant security risk. However, this is countered by another commenter who emphasizes that any use of private APIs is a violation of Apple's guidelines and opens the door to potential security vulnerabilities, regardless of the specific APIs used.

• Entropy Attacks

  permalink

  Posted: 2025-03-25 12:20:38

  Verbose tl;dr

  The blog post "Entropy Attacks" argues against blindly trusting entropy sources, particularly in cryptographic contexts. It emphasizes that measuring entropy based solely on observed outputs, like those from /dev/random, is insufficient for security. An attacker might manipulate or partially control the supposedly random source, leading to predictable outputs despite seemingly high entropy. The post uses the example of an attacker influencing the timing of network packets to illustrate how seemingly unpredictable data can still be exploited. It concludes by advocating for robust key-derivation functions and avoiding reliance on potentially compromised entropy sources, suggesting deterministic random bit generators (DRBGs) seeded with a high-quality initial seed as a preferable alternative.

  Daniel J. Bernstein, in his blog post "Entropy Attacks," meticulously dissects the concept of entropy estimation within the realm of cryptography, specifically focusing on its application in generating supposedly random numbers for cryptographic keys. He argues that conventional entropy estimation techniques are fundamentally flawed and can lead to significant security vulnerabilities, leaving systems susceptible to attack. Instead of relying on abstract statistical measures of entropy, Bernstein advocates for a more concrete and pragmatic approach: demonstrably obtaining unpredictable bits.

  Bernstein begins by elucidating the conventional wisdom regarding entropy estimation. This approach typically involves analyzing the potential sources of randomness within a system, such as mouse movements, keyboard timings, or network activity. Each source is assigned an estimated entropy value, reflecting the perceived unpredictability of its output. These individual entropy estimations are then combined to determine the overall entropy of the generated random numbers.

  However, Bernstein argues that these estimations are inherently imprecise and often overly optimistic. He points out that attackers may possess more knowledge about the system than assumed, enabling them to predict the supposedly random bits with higher accuracy than the entropy estimations would suggest. He illustrates this with several examples where seemingly random sources can be influenced or predicted by an astute attacker. For instance, an attacker might analyze network traffic patterns or exploit vulnerabilities in peripheral drivers to gather information about the "random" data being collected.

  Furthermore, Bernstein criticizes the common practice of combining entropy estimates from different sources. He contends that simply adding the individual entropy values doesn't accurately represent the overall entropy, as the sources may be correlated or influenced by common factors. This can lead to a significant overestimation of the true randomness of the generated numbers.

  Instead of relying on these potentially flawed entropy estimations, Bernstein proposes an alternative approach focused on acquiring demonstrably unpredictable bits. He suggests using sources of randomness that are inherently difficult to predict, even by a well-informed attacker. One such example is utilizing high-quality random number generators based on physical phenomena, like radioactive decay or thermal noise, which are inherently unpredictable. Another approach is to leverage publicly verifiable randomness beacons, which provide publicly accessible random bits generated through robust and transparent processes.

  He further emphasizes the importance of rigorous testing and verification of the randomness generation process. Instead of relying on theoretical entropy estimations, Bernstein advocates for empirical testing using statistical randomness tests to ensure the generated numbers exhibit the expected properties of true randomness.

  In conclusion, Bernstein's "Entropy Attacks" serves as a cautionary tale against overreliance on conventional entropy estimations in cryptography. He argues that these estimations are often inaccurate and can lead to a false sense of security. He advocates for a shift towards demonstrably acquiring unpredictable bits and rigorously testing the randomness of generated numbers, ensuring the security of cryptographic systems against potential attacks.

  • entropy
  • Cryptography
  • Security
  • random number generation
  • rng
  • CSPRNG
  • prng
  • Debian
  • Linux
  • Operating Systems
  • software vulnerabilities
  • attacks
  • information theory

  Summary of Comments ( 13 )
  https://news.ycombinator.com/item?id=43470339

  Verbose tl;dr

  The Hacker News comments discuss the practicality and effectiveness of entropy-reduction attacks, particularly in the context of Bernstein's blog post. Some users debate the real-world impact, pointing out that while theoretically interesting, such attacks often rely on unrealistic assumptions like attackers having precise timing information or access to specific hardware. Others highlight the importance of considering these attacks when designing security systems, emphasizing defense-in-depth strategies. Several comments delve into the technical details of entropy estimation and the challenges of accurately measuring it. A few users also mention specific examples of vulnerabilities related to insufficient entropy, like Debian's OpenSSL bug. The overall sentiment suggests that while these attacks aren't always easily exploitable, understanding and mitigating them is crucial for robust security.

  The Hacker News post titled "Entropy Attacks" links to a blog post by Daniel J. Bernstein on entropy estimation. The discussion in the comments section revolves around the complexities and nuances of entropy estimation, particularly in the context of cryptographic systems. Several commenters engage with the technical details presented in Bernstein's post.

  One commenter highlights the difficulty of estimating entropy accurately, especially when dealing with real-world sources that might not exhibit ideal randomness. They mention the "haveged" program as an example of a tool attempting to generate entropy from hardware events, but acknowledge the challenges in ensuring its true randomness.

  Another commenter delves into the distinction between Shannon entropy and min-entropy, emphasizing that cryptographic operations rely on min-entropy for security. They point out that measuring min-entropy is inherently more difficult than measuring Shannon entropy.

  The idea of "compressing" randomness into a smaller, higher-entropy form is also discussed. Commenters explain that while it's possible to extract a shorter, more uniformly random string from a longer, less random one, this process doesn't magically create entropy. The output's entropy is fundamentally limited by the input's entropy.

  One comment specifically references the use of cryptographic hash functions as randomness extractors. They explain how these functions can transform a source with uneven entropy distribution into a more uniformly random output, suitable for cryptographic keys.

  A few commenters touch upon the practical implications of entropy estimation in system security. They acknowledge the difficulty of achieving truly random numbers in software and mention hardware random number generators (RNGs) as a more reliable source. They also discuss how insufficient entropy can lead to vulnerabilities in security systems.

  Finally, some comments offer further reading on related topics, such as the NIST publication on entropy sources and various academic papers on randomness extraction. Overall, the comments section provides valuable insights and perspectives on the challenges of entropy estimation and its crucial role in cryptography.

• Nvidia Security Team: “What if we just stopped using C?” (2022)

  permalink

  Posted: 2025-02-10 09:16:04

  Verbose tl;dr

  Nvidia's security team advocates shifting away from C/C++ due to its susceptibility to memory-related vulnerabilities, which account for a significant portion of their reported security issues. They propose embracing memory-safe languages like Rust, Go, and Java to improve the security posture of their products and reduce the time and resources spent on vulnerability remediation. While acknowledging the performance benefits often associated with C/C++, they argue that modern memory-safe languages offer comparable performance while significantly mitigating security risks. This shift requires overcoming challenges like retraining engineers and integrating new tools, but Nvidia believes the long-term security gains outweigh the transitional costs.

  In a 2022 blog post titled "Nvidia Security Team: 'What if we just stopped using C?'" hosted on the AdaCore blog, the author discusses a presentation given by Nvidia's security team exploring the possibility of transitioning away from C and C++ in their codebase due to the inherent security risks associated with these languages. The post emphasizes the prevalence of memory safety vulnerabilities, such as buffer overflows, use-after-free errors, and double frees, which plague C and C++ development and contribute significantly to exploitable security flaws. These vulnerabilities arise from the manual memory management paradigm prevalent in these languages, giving developers extensive control over memory allocation and deallocation, but also leaving them prone to errors.

  The Nvidia team highlighted the increasing cost and complexity of mitigating these vulnerabilities, outlining the various techniques they currently employ, including code reviews, static analysis tools, and dynamic analysis tools like sanitizers. While acknowledging the effectiveness of these methods to a certain extent, they pointed out that these strategies are reactive rather than preventative and require significant ongoing investment. Furthermore, these mitigations don't address the root cause of the problem: the inherent unsafety of manual memory management.

  The post then elaborates on Nvidia's exploration of alternative, memory-safe languages like Rust, Go, and Ada. The blog post focuses particularly on Ada and SPARK, a formally verifiable subset of Ada, emphasizing their robust type system, compile-time error checking, and built-in memory safety features as attractive alternatives to the vulnerabilities of C and C++. The argument presented is that these languages, through their design and features, inherently prevent many of the memory-related vulnerabilities that plague C and C++, leading to more secure code by design.

  While acknowledging the significant undertaking of migrating away from a large, established C/C++ codebase, the Nvidia team expressed a belief that the long-term benefits in terms of improved security, reduced development costs associated with vulnerability mitigation, and a more robust and reliable software ecosystem justify the investment. The post concludes by highlighting Ada and SPARK as strong contenders for replacing C and C++ in safety-critical and security-sensitive applications, and portrays Nvidia's exploration as a significant indication of the growing industry interest in memory-safe languages for mitigating increasingly prevalent and costly security vulnerabilities. This exploration signals a potential shift in programming paradigms for large organizations concerned with software security, moving towards languages that prioritize memory safety by design.

  • Nvidia
  • Security
  • C Programming Language
  • Memory Safety
  • software vulnerabilities
  • Rust
  • C++
  • Ada
  • Programming Languages
  • Software Development
  • 2022

  Summary of Comments ( 148 )
  https://news.ycombinator.com/item?id=42998383

  Verbose tl;dr

  Hacker News commenters largely agree with the AdaCore blog post's premise that C is a major source of vulnerabilities. Many point to Rust as a viable alternative, highlighting its memory safety features and performance. Some discuss the practical challenges of transitioning away from C, citing legacy codebases, tooling, and the existing expertise surrounding C. Others explore alternative approaches like formal verification or stricter coding standards for C. A few commenters push back on the idea of abandoning C entirely, arguing that its performance benefits and low-level control are still necessary for certain applications, and that focusing on better developer training and tools might be a more effective solution. The trade-offs between safety and performance are a recurring theme.

  The Hacker News post titled "Nvidia Security Team: “What if we just stopped using C?” (2022)" has generated a lively discussion with numerous comments. Many commenters agree with the premise that C is inherently unsafe and contributes significantly to software vulnerabilities. Several suggest Rust as a strong contender for replacing C, citing its memory safety features and performance characteristics.

  A recurring theme is the inertia within organizations and the perceived cost and effort of transitioning away from C. Some commenters express skepticism about the feasibility of such a move, particularly in large, established codebases. Others counter this by arguing that the long-term benefits of improved security and reduced maintenance outweigh the initial investment.

  Several compelling comments delve deeper into specific aspects:

  • Some discuss the cultural shift required within development teams to adopt new languages and practices. They emphasize the importance of training and education in ensuring a successful transition.
  • Others point out that while Rust offers advantages, it's not a silver bullet. It has a steeper learning curve than C and may not be suitable for all use cases, especially those requiring very low-level control or interaction with legacy systems.
  • The idea of gradual migration is also discussed, where new code is written in safer languages like Rust while existing C code is maintained or incrementally rewritten. This approach is seen as more pragmatic than a complete overhaul.
  • Some comments highlight the success stories of other companies that have adopted Rust, citing improved security and developer productivity. These examples serve as evidence for the practicality of transitioning away from C.
  • A few commenters raise the issue of tooling and ecosystem maturity. While the Rust ecosystem is rapidly evolving, it's not as mature as C's, which could pose challenges for certain projects.
  • The performance comparison between C and Rust is also a point of discussion. While Rust is generally considered performant, there are specific scenarios where C might offer slight advantages, though these are becoming increasingly rare.

  The comments overall reflect a general sentiment that while moving away from C is a significant undertaking, it is a necessary step towards building more secure and reliable software. The discussion acknowledges the complexities and challenges involved but also expresses optimism about the potential benefits and the growing momentum behind safer alternatives like Rust.

• U.S. Government Disclosed 39 Zero-Day Vulnerabilities in 2023, First-Ever Report

  permalink

  Posted: 2025-02-06 14:35:04

  Verbose tl;dr

  A newly released U.S. government report reveals that 39 zero-day vulnerabilities were disclosed in 2023. This marks the first time the Cybersecurity and Infrastructure Security Agency (CISA) has publicly shared this data, which is gathered through its Vulnerability Disclosure Policy (VDP). The report covers vulnerabilities affecting a range of vendors, including Google, Apple, and Microsoft, and provides insights into the types of vulnerabilities reported, though specific details are withheld to prevent exploitation. The goal of this increased transparency is to improve vulnerability remediation efforts and bolster overall cybersecurity.

  The Cybersecurity and Infrastructure Security Agency (CISA), a crucial component of the United States government's cybersecurity apparatus, has released its inaugural report detailing the disclosure of zero-day vulnerabilities throughout the calendar year 2023. This landmark report, mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), sheds light on a critical aspect of national cybersecurity: the identification and mitigation of software flaws exploited by malicious actors before developers have the opportunity to create and deploy patches. The report reveals a significant number of such vulnerabilities, precisely 39, affecting a wide range of software products utilized across diverse sectors of critical infrastructure.

  The disclosed vulnerabilities, classified as zero-days due to their active exploitation prior to public knowledge and patch availability, represent a significant threat to national security and economic stability. These vulnerabilities can be leveraged by adversaries, including nation-state actors, cybercriminals, and hacktivist groups, to gain unauthorized access to sensitive systems, disrupt essential services, exfiltrate confidential data, and potentially cause substantial physical damage. The CISA report meticulously documents each vulnerability, providing detailed information on the affected vendor, product, assigned Common Vulnerabilities and Exposures (CVE) identifier, and the date of public disclosure. This comprehensive approach aims to enhance transparency and facilitate a more coordinated response from both government entities and private sector organizations.

  The 39 vulnerabilities detailed in the report impacted a range of vendors, including prominent technology companies such as Google, Apple, and Microsoft. The affected products encompass various operating systems, web browsers, and other commonly used software applications integral to the functioning of critical infrastructure sectors like healthcare, energy, transportation, and financial services. The timely disclosure of these vulnerabilities, facilitated by CISA's established reporting mechanisms, is crucial for enabling affected vendors to develop and disseminate necessary security patches, thereby mitigating the risks associated with active exploitation. Furthermore, the report emphasizes the importance of proactive vulnerability management practices and encourages organizations to prioritize patching efforts and implement robust security controls to minimize their exposure to zero-day exploits.

  This first-of-its-kind report from CISA signifies a pivotal step towards bolstering national cybersecurity resilience. By providing a comprehensive overview of disclosed zero-day vulnerabilities, CISA empowers organizations to better understand the evolving threat landscape and take proactive measures to safeguard their systems against these sophisticated attacks. The report also underscores the ongoing need for collaboration between government and industry to effectively address the shared challenge of identifying, disclosing, and mitigating zero-day vulnerabilities. The insights gleaned from this annual reporting requirement will undoubtedly inform future cybersecurity strategies and contribute to a more secure and resilient digital ecosystem for the nation.

  • Cybersecurity
  • zero-day
  • Vulnerability
  • US Government
  • disclosure
  • CISA
  • National Security
  • software vulnerabilities
  • cyber attacks
  • information security
  • 2023 report
  • vulnerability disclosure program
  • VDP

  Summary of Comments ( 23 )
  https://news.ycombinator.com/item?id=42962702

  Verbose tl;dr

  Hacker News users discussed the implications of the US government's first-ever report on zero-day vulnerability disclosures. Some questioned the low number of 39 vulnerabilities, speculating it represents only a small fraction of those actually discovered, with many likely being kept secret for offensive purposes. Others pointed out the inherent limitations in expecting complete transparency from intelligence agencies. Several comments highlighted the report's ambiguity regarding the definition of "zero-day," and whether it includes vulnerabilities actively exploited in the wild. There was also discussion around the value of such disclosures, with some arguing it benefits adversaries more than defenders. Finally, some commenters expressed concern about the potential for the government to hoard vulnerabilities for offensive capabilities, rather than prioritizing patching and defense.

  The Hacker News post discussing the U.S. government's disclosure of 39 zero-day vulnerabilities in 2023 has generated several comments. Many commenters focus on the implications of the report and the government's vulnerability equities process (VEP).

  One compelling line of discussion revolves around the question of whether disclosing 39 vulnerabilities is a high or low number. Some commenters express surprise that the number isn't higher, considering the vast attack surface the U.S. government manages. Others point out that the number might be understated, as the report only covers vulnerabilities discovered by the government itself, not those reported to them by third parties. There's also speculation about the severity of the disclosed vulnerabilities, as the report doesn't offer details on their impact.

  Another key area of discussion centers around the government's decision-making process regarding vulnerability disclosure. Commenters discuss the inherent tension between using vulnerabilities for intelligence gathering and protecting national security by patching them. Some express skepticism about the government's claim that they prioritize patching, while others acknowledge the difficult balancing act involved in the VEP. The lack of transparency in the VEP is also a recurring theme, with commenters calling for more insight into the criteria used for making disclosure decisions.

  Several commenters raise concerns about the potential for these disclosures to be weaponized by malicious actors. They point out that even with responsible disclosure, there's a window of vulnerability between the announcement and the release of patches, which attackers can exploit. This leads to a discussion about the importance of timely patching and the responsibility of software vendors to respond quickly to vulnerability reports.

  Finally, some comments focus on the significance of the report itself. Some see it as a positive step towards greater transparency and accountability, while others remain critical of the limited information provided. There's also discussion about the broader implications of government involvement in vulnerability research and disclosure, and the need for a clear legal and ethical framework for these activities.