👩💻IW Weekly #102: Raining RCEs on Citrix, Microsoft Outlook and Fortigate, Security flaws in ChatGPT and third-party plugins, CRLF Injection, and many more…
Welcome to the #IWWeekly102 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 Job Alerts and a Special Item 🫢
Read, upskill yourself and spread love to the community 💝
Excited? Let’s jump in 👇
📝 5 Infosec Articles
- Read how @assetnote was able to find an unauthenticated XSS and an RCE on Citrix products.
- @NetSPI was able to find a Remote Code execution on Microsoft Outlook by abusing the Outlook Forms functionality, read more about the research here.
- @SaltSecurity talks about security flaws with the ChatGPT ecosystem and third-party plugins, which in this case allowed access to accounts on third-party websites and sensitive data.
- The @GoogleVRP team draws out a threat-model to thwart possible decryption of data as quantum computing becomes more viable, find out about their adoption of post-quantum cryptography (PQC) here.
- @assetnote’s latest research on how they were able to find an RCE on FortiGate SSL VPN resulting in CVE-2024-21762 is super interesting. Do give it a read.
🧵4 Trending Tweets
- @uraniumhacker shares how testing a payment gateway led to early access to quarterly financial data for multiple companies.
- Discover the lucrative potential of uncovering origin IPs in bug bounty hunting with insights from @thebinarybot.
- Learn in depth about Apache Flink Dashboards - what they are, where to find them all along with insights on identifying sensitive data exposure in this insightful guide by @vidocsecurity.
- Explore the narrative of Arbitrary Account Takeover (ATO) through GraphQL in this compelling tweet by @ctbbpodcast.
📽️ 3 Insightful Videos
- Dive into the world of Fuzzing techniques using ffuf as @NahamSec walks you through its intricacies, empowering you to uncover vulnerabilities with precision and effectiveness
- Learn essential recon strategies and avoid common pitfalls in bug bounty hunting with insights from @NahamSec.
- Get a deep-dive into the mysteries of the Tor Browser as @_JohnHammond reveals its secrets in this insightful video.
💼 2 Job Alerts
- Amazon is looking for a Security Engineer to join their application security team in Bengaluru.
- Goldman Sachs is seeking an Associate Security Engineer in Bengaluru.
🎁 1 Special Item
- @moopinger summarizes their takeaways from research by @Black2Fan highlighting some detection methods that helped them find CRLF injections on multiple bug bounty programs.
A word from our sponsor this week
SquareX is a powerful tool to have complete control over your digital security in 3 ways -
- A disposable browser to visit all websites without worrying about cyber threats,
- A disposable file viewer to open email attachments and take deals forward with new clients,
- A disposable email addresses to sign up for newsletters, browse through websites that mandate sign-up, and control spam emails.
The best part? SquareX is free of cost and works well on every Chrome-based browser to maximize online security and filter out potential threats.
![Cybersec Asia - 31 Jan - 1 Feb 2024 in QSNCC, Bangkok](https://cybersec-asia.net/wp-content/uploads/2023/11/squarex-1-scaled.jpg)
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Hardik Singh, Ayush Singh, Eeshan V
Newsletter formatting by: Hardik Singh, Ayush Singh, Nithin R, Pawan Gambhir, Ansh Patel
Lots of love
Editorial team,
Infosec Writeups