Security Debt in Practice: Nuanced Insights from Practitioners

With the increasing reliance on software and automation nowadays, tight deadlines, limited resources, and prioritization of functionality over security can lead to insecure coding practices. When not handled properly, these constraints cause unaddressed security vulnerabilities to accumulate over...

Bidirectional communication via polyrhythms and shuffles: Without Jon the beat must go on

Welcome to this week's edition of the Threat Source newsletter. Bidirectional communication is foundational to a well-built team regardless of environment. It's critical in information security to be able to drive a conversation up the ladder and down and not lose the critical elements. One of th...

Book page text, count, and author/title length is not limited in PocketMine-MP

Impact Players can fill book pages with as many characters as they like; the server does not check this. In addition, the maximum of 50 pages is also not enforced, meaning that players can create "book bombs". This causes a variety of problems: - Oversized NBT on the wire costing excess bandwidth...

Code Execution Vulnerability in China Mobile Communications Ltd. and Fetion

Hefeixin is an upgraded service for team communication and an application software for enterprise mobile office launched by China Mobile. A code execution vulnerability exists in Hefeixin, which can be exploited by an attacker to execute an executable program containing arbitrary code...

The Fifth Question(s) Today’s CEOs Should Ask (& Know the Answers To)

In a previous blog, we discussed Commander’s Intent for CEOs and introduced 10 questions CEOs should be asking their teams. In this blog series, I am taking a deeper dive into each question and breaking them down one at a time. We will discuss why CEOs should care about each question and the type...

Zoho Chat - Team Communication - Customized SSL, Exported components, External URLs vulnerabilities

HackApp vulnerability scanner discovered that application Zoho Chat - Team Communication published at the 'play' market has multiple vulnerabilities...

Dradis v2.9 - Information Sharing For Security Assessments

Dradis is an open source framework to enable effective information sharing, specially during security assessments. It’s a tool specifically to help in the process of penetration testing. Penetration testing is about information: 1. Information discovery 2. Exploit useful information 3. Report the...