Podcast Detail

SANS Stormcast Thursday, July 2nd, 2026: MetaMask Phishing; Adobe Patches; Google Chrome Patches; Apple Hide-My-Email Vuln

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9992.mp3

Podcast Logo
MetaMask Phishing; Adobe Patches; Google Chrome Patches; Apple Hide-My-Email Vuln
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Podcast Transcript

 Hello and welcome to the Thursday, July 2nd, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from Riyadh,
 Saudi Arabia. And this episode is brought to you by the SANS
 .edu Graduate Certificate Program in Purple Team
 Operations. That is a reminder, there will be no
 podcast tomorrow on Friday, part because of July 4th and
 also because of my travel schedule. Xavier came across a
 real interesting phishing email. Now this particular
 phishing email targets MetaMask. MetaMask is an app
 and a browser extension used for crypto coins or crypto
 coin wallet and of course with that attractive target. But
 the approach they are taking here for phishing is a little
 bit different. Now MetaMask, like many websites,
 particularly if they are crypto coin related, does
 require and encourage to use multi-factor authentication.
 So that basically renders some of the simple phishing
 attempts useless. But in this particular case, the attacker
 is going after a secret phrase the user establishes in order
 to reset their authentication option. So when you're signing
 up for MetaMask as part of the signup process, this secret
 phrase is established. It's not used to usually login.
 It's used more as a password recovery token, as a backup in
 case you're losing your username and second factor.
 And that's exactly what the attacker is abusing here. So
 essentially the password reset feature. The problem here of
 course is how do you securely recover an account if the
 second factor is lost. A lot of websites and such are
 relying on a type of sort of one-time password or a secret
 random string that's established when you're
 setting up the second factor. And that of course is still
 phishable as this particular attempt shows. Personally, I
 haven't really actually come up with sort of a great secure
 and still usable and reasonably easy and cheap to
 implement solution to solve the lost second factor
 problem. Usually we talk about Adobe patches on Patch
 Tuesday, which was two weeks ago. But it looks like Adobe
 is making some changes to how they are going to release
 patches. In part because customers are of course asking
 for a faster patch cycle. Adobe now is adopting a two
 -week patch release cycle. So you will get new Adobe patches
 on the second and the fourth Tuesday of each month. And
 this month, well they started for the first time. It got
 patches for 11 different products. Two of my favorites
 are among them ColdFusion and Adobe Acrobat Reader. Both of
 them do contain arbitrary code execution vulnerabilities. So
 definitely something that you do want to address. In
 particular of course, as usual with the ColdFusion product,
 which tends to be a little bit more exposed. And I'll talk
 about having to deal with more and more patches and
 vulnerabilities. Google released an update for Google
 Chrome patching this month 382 vulnerabilities. Now, last
 month we had a new record release with something like
 400 or so vulnerabilities being patched. So the number
 is going down. But it looks like this may at least for now
 be sort of the new normal to have like hundreds of
 vulnerabilities being patched each month. Or how often
 Google decides to release new versions of Google Chrome. So
 a year ago or so it was more like a dozen or so that we had
 each month or in each release. So this is certainly sort of
 an order of magnitude increase to what we used to have. The
 hope of course is that eventually, well, they'll find
 all the bugs. But so far it looks like there are still
 plenty of vulnerabilities to find. According to Joseph Cox
 with 404 Media, Apple's Hide by Email service does contain
 an unpatched vulnerability that allows attackers to
 unmask the identity behind these temporary and anonymous
 email addresses that Apple makes available to its Apple
 Plus customers. The problem here is that if you are
 sending an email with an oversized attachment to the
 email address, you're getting a bounce back because he's
 stating that the attachment is too large. And as part of the
 bounce, the actual email address of the user that is
 obfuscated supposedly behind the hide my email address is
 revealed. So this is one of those bugs where, well, the
 attachment isn't blocked when it's initially received by
 Apple's mail server, but only after they attempt to actually
 deliver it to the actual email address of the owner of the
 particular account. So be careful with these anonymous
 email servers in general. There are usually some leaks
 like this in the service, not the first time that you would
 have like bounces revealing the actual identity of a
 particular email user. But of course, you still also have
 the issue with HTML emails and the like that may load content
 from third party sites that then an attacker is able to
 follow up on or identify the source of the request for.
 Well, and this is it for today. So thanks for
 listening. Thanks for liking. Thanks for recommending and
 any kind of feedback for this podcast. Remember, no podcast
 tomorrow. So, talk to you again on Monday. Bye.