cloud programming

Web Push for Web Apps on iOS and iPadOS | WebKit

This is good news as it further expands the capabilities of web apps. This addresses a longstanding request for web apps to deliver notifications. Note that web push only works if the web app is added to Home Screen. It is to limit web apps that aggressively ask for too many permissions.

With iOS and iPadOS 16.4 beta 1 comes support for Web Push for Home Screen web apps, Badging API, Manifest ID, and more.

Source: Web Push for Web Apps on iOS and iPadOS | WebKit

programming security

NIST Retires SHA-1 Cryptographic Algorithm | NIST

NIST, the US standards body in charge of cybersecurity, is recommending phasing out the use of SHA-1 due to vulnerabilities in the algorithm and possibility of attacks by powerful machines. Modern browsers have already sunset support for SHA-1. However, older applications may still be using it as a form of checksum.

The venerable cryptographic hash function has vulnerabilities that make its further use inadvisable.

Source: NIST Retires SHA-1 Cryptographic Algorithm | NIST


Image which displays its own MD5 hash

This is very impressive. Someone managed to create an image whose MD5 hash (also known as MD5 sum) is in the image. Why is it impressive? Well, for one, hashes are computed based on the contents of the input, and even making a one bit change creates wildly different hashes. Let me illustrate this with an example:

$ echo -n 1234 | md5sum
81dc9bdb52d04dc20036dbd8313ed055 *-

$ echo -n 1235 | md5sum
9996535e07258a7bbfd8b132435c5962 *-

1234 and 1235 differs by just 1 bit. In binary:

1234 is 00110001 00110010 00110011 00110100
1235 is 00110001 00110010 00110011 00110101

and yet the MD5 hash is totally different. Imagine if you’re trying to create a text document with this content:

The MD5 sum of this is: 12345678901234567890123456789012

Obviously the MD5 hash is not going to be 12345678901234567890123456789012.
It computes to b8aca742ffc52d6bea85fd87a92d3ede.

So you tweak the contents to this:

The MD5 sum of this is: b8aca742ffc52d6bea85fd87a92d3ede

Now the MD5 sum becomes 878da8ba44a3938fdce6da2191f221a1.

The minute you attempt to tweak the contents, the MD5 hash changes.

So it is possible to engineer a text such that the MD5 hash is contained in the text? The answer is probably yes. But you will have to test 2^128 combinations to find it.

Which brings us to the image. Creating an image like this is difficult, due to the encoding and checksums that a valid PNG image needs to have. Yes it’s not the first image-based hash quine (or file that show their own hash), but what makes this even more impressive is the deliberate choice of choosing 1337 to appear at the front and back of the MD5 sum.

Kudos to the author for this achievement.

The image in this post displays its own MD5 hash. You can download and hash it yourself, and it should still match – 1337e2ef42b9bee8de06a4d223a51337 I think this is the first PNG/MD5 hashquine.

Source: Retr0id

3D programming

Data Management OSS (Object Storage Service) migrating to Direct-to-S3 approach

It’s no secret that Autodesk Forge uses AWS. But now they made it explicit. Some of the API will be exposing AWS services – in particular S3 – directly.

Source: Data Management OSS (Object Storage Service) migrating to Direct-to-S3 approach

programming security

BIG sabotage: Famous npm package deletes files to protest Ukraine war

Oh dear. Yet another npm author went rouge. This time it appears that the npm package deletes files for users with Russian/Belarus IP addresses. Time to take package pinning more seriously.

This week, the developer of the popular npm package ‘node-ipc’ released sabotaged versions of the library in protest of the ongoing Russo-Ukrainian War. The ‘node-ipc’ package, which gets downloaded over a million times weekly, began deleting files on developer’s machines, in addition to creating new text files with “peace” messages.

Source: BIG sabotage: Famous npm package deletes files to protest Ukraine war

bug programming security

Dev corrupts NPM libs ‘colors’ and ‘faker’ breaking thousands of apps

Previously we had attackers using hijacked npm libraries to steal credentials. In this case the libraries or the maintainer wasn’t compromised. In fact it was the maintainer who deliberately introduced bugs into his libraries, thereby breaking thousands of apps that depends on it. There’s no easy solution to this dependency problem. For now use pinned versions and manually approve upgrades.

Users of popular open-source libraries ‘colors’ and ‘faker’ were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking. Some surmised if the NPM libraries had been compromised, but it turns out there’s more to the story.

Source: Dev corrupts NPM libs ‘colors’ and ‘faker’ breaking thousands of apps

programming security

RCE 0-day exploit found in log4j, a popular Java logging package | LunaSec

log4j is a common logging library for Java applications. This vulnerability is extremely easy to exploit, and allows the attacker to run arbitrary code in the server. IOW, very bad. For now, set log4j.formatMsgNoLookups=true to mitigate the issue, until an official patch is out.

Given how ubiquitous this library is, the impact of this vulnerability is quite severe. Learn how to patch it, why it’s bad, and more in this post.

Source: RCE 0-day exploit found in log4j, a popular Java logging package | LunaSec

gis programming

OneMap API

Do you know that you can do this? No API key or token is required to do simple geocoding via OpenMap API.

Notice the response returns LONGTITUDE and LONGITUDE containing the same values. This is due a misspelling in the earlier API and a decision not to break the earlier API.

Find out more here:

programming security

Hoax Email Blast Abused Poor Coding in FBI Website

One of the FBI website had a web form that allowed arbitrary content to be sent from a legitimate FBI domain – passing all DMARC, DKIM, SPF. This isn’t even a hack – anyone could have done it using their web browser. But it could have serious consequences had the attacker had more nefarious motives.

The Federal Bureau of Investigation (FBI) confirmed today that its domain name and Internet address were used to blast out thousands of fake emails about a cybercrime investigation. According to an interview with the person who claimed responsibility for…

Source: Hoax Email Blast Abused Poor Coding in FBI Website

programming security

The Invisible JavaScript Backdoor – Certitude Blog

Earlier, we had a group which abuse Unicode bi-directional mechanism to deceive the reader about the actual ordering of source code, leading to clever hiding of backdoor in plain sight.

Now we have yet another novel method to include a backdoor in source codes. The attack vector makes use of Unicode characters that are invisible, but which are valid characters in variables names.

The attack requires the IDE/text editor (and the used font) to correctly render the invisible characters. At least Notepad++ and VS Code render it correctly (in VS Code the invisible character is slightly wider than ASCII characters). The script behaves as described at least with Node 14.

Source: The Invisible JavaScript Backdoor – Certitude Blog