Security

When “Access Control” to sensitive Data is just a Number in a URL

Not long ago, I covered the Merkur hack from Lilith Wittmann – a glaring example of careless handling of sensitive data. And today, here we are again! Another service, another broken-by-design system. This time: the hotel chain Numa, exposing tens of thousands of identity documents to anyone with a URL and a browser.

What happened

I just came across this report by this post on Mastodon from the CCC. Their (german) post describes what happened. I’ll briefly try to outline it:

AI Agents: Loyal Only to the Prompt

Recently I thought “If AI scrapers are scraping my website, would a prompt injection work? Just adding invisible Prompt commands …?”

And just today, a colleague sent me this link to an article about prompt injection in GitLab Duo: Remote Prompt Injection in GitLab Duo Leads to Source Code Theft:

TL;DR: A hidden comment was enough to make GitLab Duo leak private source code and inject untrusted HTML into its responses.
https://www.legitsecurity.com/blog/remote-prompt-injection-in-gitlab-duo

Well – it shows: damit! Someone else was faster! 😀

But besides that: it confirms a paranoid thought that I have been harboring for quite a while. Any output of an AI system must not be trusted blindly.

How to check the Email Security Level of your Provider

If you’ve ever wondered which security protocols your email-provider supports, there is an easy way that I found via Mastodon:

The European Commision provides My Email Communications Security Assessment (MECSA) (https://mecsa.jrc.ec.europa.eu/) with which you can quickly check, which of the protocols your provider supports (StartTLS, x509 Ceerts, SPF, DKIM, DMARC, DANE, DNSSEC).

New 6-days Validity of Let’s Encrypt Certificates

I just saw this great news: Let’s Encrypt Announces 6-day Validity Certificates

Let’s Encrypt, the non-profit certificate authority, has introduced six-day validity certificates, commonly referred to as short-lived certificates.

Shorter validity periods are great for security. Traditional certificates can last up to a year, meaning if they get compromised, they remain a threat for a long time. Short-lived certificates, reduce the window of opportunity for attackers: Even if a certificate gets compromised, it will become invalid in less than a week.

Josh Aas, Executive Director of Let’s Encrypt’s parent organization, the Internet Security Research Group (ISRG), emphasizes, “Short-lived certificates practically require automation… automating certificate issuance is crucial for improving security across the web.”

Oh yeah. I couldn’t agree more.

How to get simple DNS Protection

Malware sites are the plague of the century! And it’s so easy to fall for them. Phishing, hacked website content, or malware-ads – one click and you are on a website you shouldn’t be.

One way to deal with the issue is to block malicious domains at DNS resolver level. The advantage is that you do not have to do any modification at the devices!