![]() ![]() This feature-rich app offers comprehensive privacy and security. ![]() The app is regarded as one of the best for encrypted communication. John Jackson and researchers at Sakura Samurai including Aubrey Cottle, Jackson Henry, and Robert Willis have identified a critical vulnerability in the Keybase app that puts the privacy of Windows, macOS, and Linux users at risk. A serious flaw in Zoom's Keybase secure chat application left copies of images contained in secure communications on Keybase users' computers after they were supposedly deleted.Keybase is owned by Zoom and currently has almost half a million privacy-focused users. The flaw in the encrypted messaging application ( CVE-2021-23827) does not expose Keybase users to remote compromise. However, it could put their security, privacy and safety at risk, especially for users living under authoritarian regimes in which apps like Keybase and Signal are increasingly relied on as a way to conduct conversations out of earshot of law enforcement or security services. The flaw was discovered by researchers from the group Sakura Samurai as part of a bug bounty program offered by Zoom, which acquired Keybase in May, 2020. In a statement, a Zoom spokesman said that the company appreciates the work of the researchers and takes privacy and security "very seriously." Zoom said it has fixed the flaw in the latest versions of its software for Windows, macOS and Linux. "We addressed the issue identified by the Sakura Samurai researchers on our Keybase platform in version 5.6.0 for Windows and macOS and version 5.6.1 for Linux. Users can help keep themselves secure by applying current updates or downloading the latest Keybase software with all current security updates," the spokesman said.Web application frameworks are made to help developers build web applications. Some of them also help you with securing the web application. In fact one framework is not more secure than another: If you use it correctly, you will be able to build secure apps with many frameworks. Ruby on Rails has some clever helper methods, for example against SQL injection, so that this is hardly a problem. In general there is no such thing as plug-n-play security. ![]() Security depends on the people using the framework, and sometimes on the development method. And it depends on all layers of a web application environment: The back-end storage, the web server, and the web application itself (and possibly other layers or applications). The Gartner Group, however, estimates that 75% of attacks are at the web application layer, and found out "that out of 300 audited sites, 97% are vulnerable to attack". ![]() This is because web applications are relatively easy to attack, as they are simple to understand and manipulate, even by the lay person. The threats against web applications include user account hijacking, bypass of access control, reading or modifying sensitive data, or presenting fraudulent content. Or an attacker might be able to install a Trojan horse program or unsolicited e-mail sending software, aim at financial enrichment, or cause brand name damage by modifying company resources. In order to prevent attacks, minimize their impact and remove points of attack, first of all, you have to fully understand the attack methods in order to find the correct countermeasures. In order to develop secure web applications you have to keep up to date on all layers and know your enemies. To keep up to date subscribe to security mailing lists, read security blogs, and make updating and security checks a habit (check the Additional Resources chapter). It is done manually because that's how you find the nasty logical security problems. This chapter describes some particular attacks related to sessions, and security measures to protect your session data. Stealing a user's session ID lets an attacker use the web application in the victim's name. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |