Security

Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter

Exposed private cert key may also be an issue for IBM Aspera


Updated Twitter security celeb SwiftOnSecurity on Tuesday inadvertently disclosed a zero-day vulnerability affecting enterprise software biz Atlassian, a flaw that may be echoed in IBM's Aspera software.

The SwiftOnSecurity Twitter account revealed that Atlassian provided a domain that resolved to a local server with a common SSL certificate for its Confluence cloud service, to enable the Atlassian Companion app to edit files in a preferred local application and save the files back to Confluence.

Confluence connects to its companion app through the browser using the rather unwieldy domain: https://atlassian-domain-for-localhost-connections-only.com.

The problem with this arrangement is that anyone with sufficient technical knowledge could copy the SSL key and use it to conduct a man-in-the-middle attack that could allow an attacker to redirect app traffic to a malicious site.

Google security engineer Tavis Ormandy confirmed that anyone using the app could be subjected to such an attack.

As Ormandy explained, "you can just grab the private key, and nothing is stopping you resolving this domain to something other than localhost. Therefore, no guarantee that you're talking to a trusted local service and not an attacker."

SwiftOnSecurity reported the issue to Atlassian and obtained CVE-2019-15006 for the bug.

In an email to The Register, Atlassian said it's aware of the issue and is actively working to resolve it. "We have requested that the certificate be revoked, and we're evaluating whether other technical solutions are required to protect our customers," a company spokesperson said.

DevOpsery-dispenser Atlassian's customers settle into the cloudy subscription world

READ MORE

In the Twitter discussion, Tim Stone, a moderator for StackApps, observed that IBM's Aspera plugin client uses a similar server scheme, local.connectme.us, for client-server communication.

According to Ormandy, that has the potential to be even worse. "There's a pre-generated CA certificate and a private key, if they add that to the system store, they're effectively disabling SSL," he wrote. "I would consider that *critical*."

There's no indication at the moment that IBM does add that certificate to its system store, according to Stone.

Nonetheless, Ormandy contends the certificate issue with local.connectme.us is real and argues the certificate should be revoked.

The Register asked IBM for comment but we've not heard back. ®

Updated to add

After the story was filed, an IBM spokesperson responded by noting that the tech giant issued a security bulletin for denial of service vulnerability affecting Aspera Connect 3.7 and 3.8 back in June. "We left the local.connectme.us in for backward compatibility while customers continue to upgrade their environments," the spinner explained.

Also, we note, the certificate for local.connectme.us has been revoked.

Send us news
10 Comments

FCC starts probing effects of semiconductor drought on the US telecoms supply chain

If only there was a business to consult about chip shortages? Ah, that's right. Huawei, awks

America's communications watchdog has issued a public request for comments from telco providers and suppliers to see how they're faring amid the ongoing chip crunch.

Operated by the FCC's Wireless Communications Bureau division, the consultation [PDF] aims to gauge the health of the telecoms semiconductor supply chain, with a focus on lead times and prices across multiple technologies. It expressed an interest in seeing whether industry leaders think semiconductor suppliers could meet ongoing demand beyond the current crisis.

The scope of the consultation has proven broad, with responses welcomed from those dealing with infrastructure (RANs, satellites, and so on), as well as makers of consumer devices and products that sit somewhere in between, like Wi-Fi routers and connected devices.

Continue reading

Pentagon backs away from labeling smartphone maker Xiaomi a military org run by China's communist elite

Biz to be removed from naughty list following out-of-court settlement

The Pentagon has agreed it will no longer label Xiaomi a Communist Chinese military company after the smartphone maker sued Uncle Sam to overturn the designation.

In mid-January, the Dept of Defense, under America's previous administration, added Xiaomi to its list of military companies overseen by the Chinese Communist Party. Being on that list is bad news: it's rather hard to do business in or with America if you're branded this level of a security risk.

Xiaomi challenged its inclusion on the list at a Washington DC federal district court, and now the matter has been settled, with the government agreeing to an order throwing out the earlier designation.

Continue reading

If you said the semiconductor shortage will last until Q2 2022, you would be correct, according to Gartner

Chip in if you want more chips, analyst house suggests

Gartner indicated today the ongoing chip shortages are likely to persist until the second quarter of 2022 as production simply can't keep pace with orders.

Problems began with getting out enough of those semiconductors we all rely on but don't have a lot of fanfare, and then grew to affect supplies for personal and data center computers as well as systems in other industries for all sorts of reasons. There's a demand for machines and devices as people stay home in the pandemic; factories paused their component orders during the coronavirus outbreak and are now scrambling for parts; some manufacturers hoarded parts; and disasters and lockdowns held up output.

In a research note, the analyst house stated:

Continue reading

Apple's Find My network can be abused to leak secrets to the outside world via passing devices

You gotta work hard for those three-bytes-a-second transfers, though

Apple's Find My network, used to locate iOS and macOS devices – and more recently AirTags and other kit – also turns out to be a potential espionage tool.

In short, it's possible to use passing Apple devices to sneak out portions of information from one place to another, such as a computer on the other side of the world, over the air without any other network connectivity.

Fabian Bräunlein, co-founder of Positive Security, devised a way to send a limited amount of arbitrary data to Apple's iCloud servers from devices without an internet connection using Bluetooth Low Energy (BLE) broadcasts and a microcontroller programmed to function as a modem. That data can then be retrieved from the cloud by a Mac application. In a blog post on Wednesday, he dubbed his proof-of-concept service Send My.

Continue reading

With Gelsinger back at Intel, VMware picks new CEO from within, shakes up execs

vRangarajan vRaghuram is vBoss after vMotion to vTop

VMware has announced a new CEO and a major shakeup in its management team following the departure of Pat Gelsinger to head up Intel.

New chief exec Rangarajan (Raghu) Raghuram was the chief operating officer of products and cloud services at VMware, and has spent nearly 18 years at the virtualzation giant. He's very much the industry veteran having started at Netscape in 1996 and also spending time at Bang Networks before joining VMware.

“I am thrilled to have Raghu step into the role of CEO at VMware,” Michael Dell, chairman of the VMware board of directors, said in a canned statement.

Continue reading

If you can't upload to Amazon Photos right now, don't worry – no one can

Unlimited picture-hosting service suddenly gets very limited

Amazon has confirmed people are unable to upload files to its Photos storage service, and believes it will be fixed sometime today.

Netizens have complained neither the apps nor the websites for Amazon Photos and its sibling Amazon Drive are functioning correctly. Judging by comments posted on DownDetector.com and emails from Register readers, the platform has been broken since yesterday.

Folks reporting from Canada, America, and Czechia say they are unable to transfer media to their Amazon-hosted online storage. Others in Brazil and Italy have similar complaints, though the internet giant claims the outage affects "North American customers."

Continue reading

Water's wet, the Pope's Catholic, and iOS is designed to stop folk switching to Android, Epic trial judge told

Fortnite maker wheels out economist to explain how Apple works

The ongoing federal court trial in California between Apple and Epic Games has provided some unprecedented levels of insight into the iOS platform and iPhone. But most of all, it has confirmed things we already knew.

Most notably that Cupertino built the wider iOS ecosystem with an aim to deter people from switching to other platforms.

On the seventh day of the bench trial, Epic Games called to the stand Stanford micro-economist Susan Athey, who testified that the peripheral apps that ship with iOS – most notably the App Store, but also the various music, e-book, and video storefronts – are designed to keep users loyal.

Continue reading

US-based hard disk drive suppliers face further scrutiny over whether they've shipped proscribed HDDs to Huawei

The Wicker man: US Commerce Committee senator questions Toshiba, Seagate and WD

Updated US Commerce Committee Senator Roger Wicker is on a mission to find out if HDD makers stateside are shipping drives to Huawei, and has fired off questions to Seagate, Toshiba America Electronic Components (TAEC) and Western Digital.

This follows the initiation of a US Department of Commerce (DoC) investigation in March into the possible supply of Seagate HDDs to Huawei.

At the time we asked Seagate whether it was shipping disks to the much-maligned Chinese tech biz and it responded by saying it "complies with all applicable laws including export control regulations", and "We do not comment on specific customers." 

Continue reading

'Big updates' to Mac design app Sketch add real-time collaboration – but you'll need to fork out for a subscription

Perpetual licence still offered, but with downgraded features

Mac-only drawing application Sketch is being repositioned as "a fully integrated platform for design and collaboration," though non-subscription users now have downgraded licences.

Sketch is popular for prototyping designs for websites and user interfaces. Although less feature-rich than projects from its giant competitor, Adobe, Sketch is appreciated for its clean user interface and is well supported by plugins.

Collaboration is a key feature for prototyping and Sketch founders Pieter Omvless (CEO) and Emanual Sá (chief design officer) have posted about the future of the product.

Continue reading

SAP co-founder's charitable arm made investments in a joint venture with the software giant

Foundation is 'passive investor' alongside private equity firm Dediq, firm says

SAP chairman Hasso Plattner's charitable foundation has said it invested in a joint venture between private equity firm Dediq and SAP designed to develop technology for the financial services market.

The Hasso Plattner Foundation's website says it "directly and exclusively pursues charitable purposes" and was established by the billionaire SAP founder as an independent, not-for-profit organisation in 2015.

However, questions have been raised about the transparency of its investment in an alliance with Dediq, a German investment focused on providing funding for entrepreneurs, and the enterprise software giant.

Continue reading

On eve of national industrial ballot, BT, EE, Openreach agree to temporarily suspend compulsory redundancies

Well, the telco always said it's good to talk: Negotiations over jobs, pay, grading, and more set for this month

Exclusive BT has halted all compulsory redundancies on the eve of a national ballot for strike action across the group, the telco and union CWU today confirmed. It follows 15 days of strikes waged by a small band of engineers in Openreach.

The unrest was caused by BT's multi-year programme to save £1.5bn in annual operating costs, started in 2018. This involves reducing the workforce by 13,000 and closing 90 per cent of corporate real estate.

The CWU decided in March to hold a UK-wide industrial ballot to test the appetite among unionised workers at BT – and its sub-groups EE and Openreach – to down tools. This would have been the first such action since 1987 and came after CWU said it was unable to resolve disputes with the company.

Continue reading