👩‍💻IW Weekly #102: Raining RCEs on Citrix, Microsoft Outlook and Fortigate, Security flaws in ChatGPT and third-party plugins, CRLF Injection, and many more…

Welcome to the #IWWeekly102 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 Job Alerts and a Special Item 🫢

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

1. Read how @assetnote was able to find an unauthenticated XSS and an RCE on Citrix products.
2. @NetSPI was able to find a Remote Code execution on Microsoft Outlook by abusing the Outlook Forms functionality, read more about the research here.
3. @SaltSecurity talks about security flaws with the ChatGPT ecosystem and third-party plugins, which in this case allowed access to accounts on third-party websites and sensitive data.
4. The @GoogleVRP team draws out a threat-model to thwart possible decryption of data as quantum computing becomes more viable, find out about their adoption of post-quantum cryptography (PQC) here.
5. @assetnote’s latest research on how they were able to find an RCE on FortiGate SSL VPN resulting in CVE-2024-21762 is super interesting. Do give it a read.

🧵4 Trending Tweets

1. @uraniumhacker shares how testing a payment gateway led to early access to quarterly financial data for multiple companies.
2. Discover the lucrative potential of uncovering origin IPs in bug bounty hunting with insights from @thebinarybot.
3. Learn in depth about Apache Flink Dashboards - what they are, where to find them all along with insights on identifying sensitive data exposure in this insightful guide by @vidocsecurity.
4. Explore the narrative of Arbitrary Account Takeover (ATO) through GraphQL in this compelling tweet by @ctbbpodcast.

📽️ 3 Insightful Videos

1. Dive into the world of Fuzzing techniques using ffuf as @NahamSec walks you through its intricacies, empowering you to uncover vulnerabilities with precision and effectiveness
2. Learn essential recon strategies and avoid common pitfalls in bug bounty hunting with insights from @NahamSec.
3. Get a deep-dive into the mysteries of the Tor Browser as @_JohnHammond reveals its secrets in this insightful video.

💼 2 Job Alerts

1. Amazon is looking for a Security Engineer to join their application security team in Bengaluru. 
2. Goldman Sachs is seeking an Associate Security Engineer in Bengaluru.

🎁 1 Special Item

1. @moopinger summarizes their takeaways from research by @Black2Fan highlighting some detection methods that helped them find CRLF injections on multiple bug bounty programs.

A word from our sponsor this week

SquareX is a powerful tool to have complete control over your digital security in 3 ways -

1. A disposable browser to visit all websites without worrying about cyber threats,
2. A disposable file viewer to open email attachments and take deals forward with new clients,
3. A disposable email addresses to sign up for newsletters, browse through websites that mandate sign-up, and control spam emails.

The best part? SquareX is free of cost and works well on every Chrome-based browser to maximize online security and filter out potential threats.

Get SquareX today!

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Hardik Singh, Ayush Singh, Eeshan V

Newsletter formatting by: Hardik Singh, Ayush Singh, Nithin R, Pawan Gambhir, Ansh Patel

Lots of love
Editorial team,
Infosec Writeups