Handler on Duty: Xavier Mertens
Threat Level: green
Podcast Detail
SANS Stormcast Friday, February 6th, 2026: Broken Phishing; n8n vulnerability; Android Update; Watchguard Firebox LDAP Injection
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9798.mp3
Broken Phishing; n8n vulnerability; Android Update; Watchguard Firebox LDAP Injection
00:00
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Mar 29th - Apr 3rd 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Apr 20th - Apr 25th 2026 |
Broken Phishing URLs
https://isc.sans.edu/diary/Broken+Phishing+URLs/32686/
n8n command injection vulnerability
https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8
Android February Update
https://source.android.com/docs/security/bulletin/pixel/2026/2026-02-01?hl=en
Watchguard Firebox LDAP Injection
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00001
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Mar 29th - Apr 3rd 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Apr 20th - Apr 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 11th - May 16th 2026 |
| Network Monitoring and Threat Detection In-Depth | Online | Arabian Standard Time | Jun 20th - Jun 25th 2026 |
| Network Monitoring and Threat Detection In-Depth | Riyadh | Jun 20th - Jun 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 13th - Jul 18th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Online | British Summer Time | Jul 27th - Aug 1st 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 21st - Sep 26th 2026 |
Podcast Transcript
Hello and welcome to the Friday, February 6, 2026 edition of the SANS Internet Storm Sonners Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Undergraduate Certificate Program in Cyber Security Fundamentals. Well, Xavier came across an interesting trick being rediscovered by phishing emails, and that's essentially invalid URLs that are, well, valid enough that they may actually work in a browser. So what they're taking advantage of here is, well, I wouldn't call it an ambiguity, but really browsers being able to deal with URLs that are technically not valid. In this particular case, at the end of the URL, instead of having like a question mark and then the URL parameters that are still limited by ampersands, well, they just have an ampersand and then a couple of random characters. This is not a valid URL. I actually looked it up in the RFC myself. RFC 3986 states that URLs should be limited by either white spaces, angle brackets, or double quotes. But we all know that, well, browsers are somewhat forgiving with these standards. And that's apparently what's being abused here, that a browser makes this URL work, while a security tool that inspects the document, well, doesn't recognize this as a valid URL, and as a result will then ignore it. So interesting little trick here. And you may want to test your security tool, how it deals with these kind of invalid URLs. Well, and today's AI vulnerability comes thanks of N8N. And it's really just a variation of a vulnerability that we had in December, and that caused a lot of news in December, because it does allow anybody who's able to create a workflow to essentially execute arbitrary system commands. So one of those good old sort of OS command injection style vulnerabilities. Well, apparently that vulnerability hadn't been patched properly back in December. So it's back in another variation of it. But better keep N8N updated. And like with all of these sort of emerging tools right now, you must be probably daily check for any updates, because I really can't get to all of the vulnerabilities that are popping up in these tools. And in case you're following Google's Android updates, we had the February release this week for Android and, well, it was something a little bit odd happening at first sight, and that's that there were no security fixes in this release. Turns out that Google changed a little bit how they're going to do security releases. In the monthly release, they'll only add vulnerabilities or only patch vulnerabilities that they rate high. And there was one, but it was a pixel specific. Also Samsung released ones that were Samsung specific. But there was nothing sort of for the base Android operating system. Every quarter, they'll now release sort of the security updates that are not high. So that's where you get all the, I guess, you know, minor or medium security vulnerabilities addressed then in these quarterly updates. And talking about high vulnerability, WatchGuard released an update for its Firebox appliance. This update fixes an LDAP injection. Since LDAP is used for authentication, this is certainly a problem. It does not require authentication to exploit the vulnerability. And they're stating here that, yes, it can be used to bypass authentication. But in order to do so, the attacker would need a partial identifier and then additionally have the user's valid passphrase. So the identifier is probably easier to get than the passphrase. And so far, this may not be that much of a vulnerability when it comes to authentication bypass. Well, and that's it for today. Thanks for listening. Thanks for liking. Thanks for subscribing to this podcast. And talk to you again on Monday. Bye.
© 2026 SANS™ Internet Storm Center
Developers: We have an API for you! 