Vulnerabilities (Page 52)

Three Apple CloudKit Vulnerabilities

Three bugs relating to insecurely configured CloudKit containers, the big one being the accidental deletion of all Apple Shortcuts, but also the ability to delete records on Apple News, and modify data used on the iCrowd+ website.

 

[GitLab] Stored XSS in main page of a project

For a GitLab bug, this one is nice and simple, stored XSS in the “default branch name” field.For a group you can setup what the group’s default branch name should be for any new repositories created…

 

[Flickr] CSRF in Account Deletion feature

When SmugMug bought Flickr from Yahoo they had to move the authentication system away from Yahoo’s authentication.A side-effect of this was that the account deletion process previously had used the Yahoo authentication code as the CSRF token so in the move the token was removed and not replaced with anything functionally equivalent…

 

Spook.js - Speculative Type Confusion

The cool part of this paper is the speculative type confusion attack where the browser’s optimizer is trained to expect a memory access will be a uint8 array, and the CPU branch predictor that it will always go down that path. Then the attack changes both conditions leading to the CPU speculatively executing the uint8 access using data from another object, aligned in memory such that two 32bit value in JavaScript become one 64bit value.