Thank you @_larry0! Anyone else have their #myfavoritevuln?
#VulnLife #StickerLife #InfoSechttps://twitter.com/_larry0/status/1189707301923504128 …
-
-
Replying to @RiskBased
I’d like to hear from
@attritionorg@SushiDude and@jkouns1 reply 0 retweets 1 like -
Replying to @_larry0 @RiskBased and
thinking on it! And planning on a few answers, since we can submit several! also curious what
@wdormann@grsecurity@4dgifts@dotmudge@scooterthetroll@lcamtuf@mauvehed@i0n1c@hdmoore@mdowd@xssniper@taviso@weldpond@daveaitel would say =) all have great history w/ vulns.7 replies 0 retweets 5 likes -
Replying to @attritionorg @_larry0 and
Reserving mine for future blog posts, since I have a feeling you're all being tricked into creating someone else's "top 10 CVEs from security experts" posts ;)
5 replies 0 retweets 11 likes -
Replying to @grsecurity @_larry0 and
here's a fun one, I don't think we ever published. based on VulnDB data... top creditees =)pic.twitter.com/TYGrhoFANt
1 reply 0 retweets 3 likes -
Replying to @attritionorg @grsecurity and
Wow! I’m way behind.
1 reply 0 retweets 1 like -
Replying to @_larry0 @grsecurity and
well,
@wdormann is a filthy cheater and he knows why! you can't beat Not Available, or Discovered by Vendor (which is further abstracted, but not in that view) and likely not Anonymous. can you top@htbridge though?! chop chop! more disclosures!1 reply 0 retweets 2 likes -
Replying to @attritionorg @_larry0 and
What can I say... Automated target selection and testing is quite effective! The first time around with ActiveX / Dranzer was too much for us (CERT) to handle. Second time with Android / Tapioca was too much for Mitre/CVE to handle. Third time might be the charm?
2 replies 0 retweets 3 likes -
Replying to @wdormann @attritionorg and
I'd argue that Tapioca was too hard for everybody to handle. IIRC, there wasn't analysis about what data the app sent/received and whether that data's integrity&privacy was essential (i.e. might not be a vuln). Likely there were apps pulling irrelevant data getting flagged
2 replies 0 retweets 2 likes -
Replying to @SushiDude @wdormann and
Our biggest issue is that even days after disclosure, so many of the apps were vanishing off the Play Store, making it hard to capture affected version, vendor name, and more, where it was missing in the original Sheet.
1 reply 0 retweets 3 likes
Indeed. In hindsight, I should have captured more metadata at crawl time when I was doing that project. I hadn't predicted: 1) Certain fields such as the human-readable name being missing from the crawler data. 2) The amount of churn present in the Play store.
-
-
Replying to @wdormann @RiskBased and
3) the amount of apps that would get yanked within days of the disclosure That is the one that surprised me the most.
1 reply 0 retweets 1 like -
Replying to @attritionorg @wdormann and
any theories as to why some apps got yanked so fast? Also, some oss-hobbyist projects would get yanked by their dev after the first vuln, so I'm not clear what was surprising for tapioca-affected apps. I don't recall how much media attention there was
1 reply 0 retweets 0 likes - 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.