Application Security Weekly for April 8

(Yes, last week was indeed an April Fools' joke)

(This week isn't.)


Domain names are a blessing and a curse.  It's a lot easier to remember "" than "".  The domain registration system is also on the front lines of fighting spam and malware - and it is under attack by the Powers That Be.  Overreaching privacy law is about to make blue teaming a lot harder.


Twitter thread regarding Tmobile Austria storing passwords in plain text. Warning: rough language

So, if they store the WHOLE password salted and hashed, but keep the first 4 characters in plain text just to help customer service, it is still a vulnerability?


Three Vulnerabilities Discovered in Spring Development Framework. Patchy patchy.

Critical — RCE Attack (CVE-2018-1270)
High — Directory Traversal Attack (CVE-2018-1271)
Low — Multipart Content Pollution (CVE-2018-1272)


Normally I link to primary sources, but El Reg did such a good job writing up the trustwave report I want to link to them.  Good, tongue-in-cheek breakdown of the TRustwave report, which is pretty ugly (Spoiler: criminals are getting better, and we are not catching up).  Link to the report at the end of the article - there will be a quiz.


And that's the news

Comments are closed