SANS Stormcast Wednesday, November 26th, 2025: Attacks Against Messaging; Passwords in Random Websites; Fluentbit Vuln; #thanksgiving

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9716.mp3

previous

Attacks Against Messaging; Passwords in Random Websites; Fluentbit Vuln; #thanksgiving

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Wednesday, November 26, 2025
 edition of the SANS Internet Stormcenter's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Undergraduate Certificate Program in
 Cybersecurity Fundamentals. And just as a reminder, this
 is the last podcast for this week, given the Thanksgiving
 holiday coming up. CISA published a quick announcement
 here that they're seeing some attacks against messaging
 applications. The attacks themselves are not new.
 They're really sort of highlighting three different
 attacks here. One is the use of QR codes, which sometimes
 can be used in order to trick a victim into adding an
 attacker's device to their account. And then of course,
 that attacker device does have access to your messages, even
 in some cases for end-to-end encrypted applications. Also,
 the exploitation of bugs in the application itself. That's
 then sort of in some cases, these very dangerous serial
 click attacks. iMessage, WhatsApp in the past have been
 hit by these vulnerabilities. And lastly, also, well, that's
 probably the hardest to defend against, impersonation, where
 someone is just claiming to be a different person in a
 messaging app. So always be careful to verify who you are
 talking to. I just want to point out something that isn't
 sort of explicitly stated here. They're talking about
 WhatsApp Signal. Signal in particular being famous for
 its very robust end-to-end encryption. Just remember, end
 -to-end encryption means that at the end, the messages are
 still readable. So if the attacker does have access to
 like a keystroke logger or the ability to take screenshots,
 then usually that end-to-end encryption doesn't really do
 much, even if the application is rather careful in how
 they're dealing with these messages on the end-user
 system, like how they're then encrypting them. Well, then we
 have some interesting research from Watchtower again. And
 this time it's for a change, not an easily exploitable
 vulnerability in some kind of enterprise endpoint security
 device. Instead, it's, well, basically users shooting
 themselves in the foot by posting company secrets like
 passwords into public accessible websites. Now, why
 would you do this? We're not talking about phishing here.
 The problem is websites like, and they're mentioning here as
 example, for example, a JSON pretty fire website basically
 makes JSON look prettier. Well, people just post company
 data into these websites, and then they get the prettier
 version of JSON. Personally, jq always did a great job with
 that for me, and usually I don't really care how pretty
 my JSON looks. But in particular with the JSON
 pretty fire, and you also have like a code pretty fire
 website, it works very similar. There is an option to
 save the data that you just posted on the website. But
 there should be a hint that this is not secure, because it
 never really asks you to set up an account account for that
 website. It's really sort of more like a pastebin like
 system. And these snippets that people are storing are
 easily recovered by anybody who is just guessing the ID.
 So this, as Watchtower found out, led to thousands of
 secrets being leaked from very big companies, including some
 security companies. They're not naming any victims here,
 but pretty obvious that a large number of companies are
 affected by this. And of course, the websites they're
 pointing out here are certainly not the only
 websites like this that are performing actions like this.
 Well, for the first part, you should never really post data
 like this into a random website. And then always look
 for an alternative. Like I mentioned, JQ does, in my
 opinion, a very nice job in formatting JSON. Pretty many
 IDEs are doing a good job in prettifying code snippets. And
 local solution is usually preferred here, like as
 another example here that's not mentioned here, but the
 famous Cyber Chef that is being used to resolve various
 encodings. Well, it's written to actually work on the client
 exclusively. And you can just download that JavaScript. And
 well, we all trust GCHQ. So they probably won't send it
 off anywhere where it's not supposed to go. And as long as
 you deal with these tools locally, well, you don't have
 the problem of leaking your secret data. And talking about
 trusting other people's system, of course, the cloud
 is a system that we happily throw all of our most secret
 data into, hoping that by paying a lot of money, they
 keep it somewhat secure. Well, many of these cloud providers
 are using FluentBit, a platform that's being used to
 manage their cloud environments. And you have a
 couple new serious vulnerabilities here, nothing
 you really have or can do about it. So don't worry about
 it. Just hope that your cloud provider applied the fixes in
 case you're using it internally, which is unlikely,
 but possible. Well, please, please update. Well, and
 that's it for today. So thanks again for listening. Hope
 everybody in the US has a good Thanksgiving. And the next
 podcast will be on Monday. Bye. Bye. Bye. Bye. Bye. Bye.
 Bye. Thank you.