Infosec Reading List – October 2018

On a monthly basis I will publish my reading recommendations which mainly focus on Information Security and Outdoor Sports – but you will also find other recommendations from time to time.
All InfoSec Reading Lists can be found here.
Best of Twitterverse
InfoSec
- An interesting Google vulnerability that got me 3133.7 reward. – putting GET-request data into POST-request fields is probably not the best idea – link
- GoogleMeetRoulette: Joining random meetings – link
- Accidentally Finding RCE in Signal Desktop via HTML Injection in Quoted Replies – “Much like innerHTML, use of dangerouslySetInnerHTML is, well, dangerous and can cause lead to XSS like what occurred in the Signal Desktop app.” – link
- Catching phishing before they catch you – early phishing warning system based on certstream API – nice – link
- Unauth meetings access – “When decoded this base64 string includes the phone number and the pin for the meeting” – link
- Password and Credential Management in 2018 – this article has indeed some interesting aspects that should be considered – “Before we send the username and password over the wire we perform a single SHA3-512 round on the plain-text password plus a unique name for our service” – “There is no way we could ever accidentally store the user’s plain-text password in our logging system, unlike GitHub and Twitter, which both admitted in May 2018, that they have found plain-text passwords in their logging systems.” – interesting thoughts – to ensure the plaintext password will never leave the client side – link
- IoT Pentesting 101 && IoT security 101 – link
- So, you want to be a darknet drug lord… – link
- Authentication bypass vulnerability in Western Digital My Cloud allows escalation to admin privileges – “Next, call an endpoint (e.g., cgi_get_ssh_pw_status) that requires admin privileges and authenticate as admin by adding the cookie username=admin.” – link
- Local file inclusion at IKEA.com – “The used PDF library contains (hidden) functionality that allows one to embed files into the PDF by adding a specific tag in the template.” – link
- RCE by uploading a web.config – link
- How I “found” the database of the Donald Daters App – link
- How I hacked modern Vending Machines – link
Outdoors
- Chile Opens 1,700-Mile Hiking Trail Connecting 17 National Parks – it needs to verified how much is really through-hiking here and how much needs to be done by car – link – link
- Ruta de Los Seis Miles, Norte – added to bucket list – perhaps could even combined with the Chile Trails mentioned above? – some of these areas have already been covered by my previous trips – link norte – link sur
- Iceland Divide (North-South) – yet another entry on the bucket list although I spent already 1 month in Iceland a few years ago – it’s definitively a place to go back – link
Pingback: Infosec Reading List – April 2019 | Dominik Birk