Paragon Initiative Enterprises conducted a comprehensive code review of the JPaseto libraary and discovered one medium-severity vulnerability, which was promptly fixed.
Paragon Initiative Enterprises conducted a comprehensive code review of the JPaseto libraary and discovered one medium-severity vulnerability, which was promptly fixed.
One of our clients built an app upon a platform called Qbix and hired us to do a pre-launch code audit of their app as well as Qbix's platform.
The Bytejailcore audit is our most comprehensive investigation to date, and we are happy to say that we did not find any security-affecting vulnerabilities or cryptographic weaknesses.
Our investigation of the Bytejail client software did not uncover any security vulnerabilities, cryptographic weaknesses, or anything resembling a backdoor. User's sensitive credentials are never transmitted, and even error messages are anonymized and encrypted before they are sent to the developers.
After a comprehensive code review of the TahoeSmart and TahoeWorker projects, we did not identify any security vulnerabilities in either project. However, our investigation did uncover a few helper classes that could benefit from security enhancements.
After reviewing the Bytejail console source code, we have identified three security issues: one of medium severity and two of low severity. All three are related to cryptography and believed to be difficult for an attacker to exploit.
We did not find any security vulnerabilities in the JWT library itself; however, we did find a previously undiscovered cryptographic vulnerability in one of its dependencies.
Paragon Initiative Enterprises conducted a comprehensive code review of the NaclKeys project and discovered no security vulnerabilities.
There are several instances where data pulled from $_POST (i.e. inside a foreach loop) is passed directly to unserialize(). As a consequence, SMF is vulnerable to PHP Object Injection and possibly remote code execution.
The Zend\Crypt\RSA\PublicKey class in Zend Framework's cryptography library in affected versions of Zend Framework is vulnerable to padding oracle attacks, as first demonstrated by Daniel Bleichenbacher in 1998. The RSA padding oracle attack was further optimized by Steel, et al. in 2012. This vulnerability is specific to PKCS1v1.5 padding; RSA-OAEP is unaffected.
Back-of-the-envelope math: If you can perform 25 attempts per second using the Steel method, you can decrypt any message encrypted with 1024-bit RSA using a vulnerable version of Zend\Crypt in about 10 minutes (median).
Our chief development officer looked at the cryptography library provided by the Joomla CMS and found numerous cryptography flaws; the most critical (pertaining to JCryptCipherSimple) being a home-grown cipher best described as XOR-ECB. It's relatively trivial to recover the key if you know the plaintext (especially if the plaintext is at least 256 characters long).
The usual candidates (chosen ciphertext attacks, an insecure fallback in the CSPRNG) for security vulnerabilities in PHP cryptographys were also found.
Total investigation time: 30 minutes. Imagine what we can do for the security of your projects with days?
AnchorCMS is a popular blogging platform that focuses on being lightweight and super simple. We discovered and unfortunate vulnerability that is both easy to exploit remotely and has a high impact.
Minds.com is a social network and mobile app that claims to offer encrypted chat to its users. After a brief investigation, we discovered that the clients would blindly accept arbitrary RSA public keys from the server, and it encrypted messages with RSA with PKCS1 padding.
Tutanota, which offers a free encrypted email app, does not authenticate its ciphertexts with a MAC. Two others (Steve Weis and Richard) had already alerted the development team to this implementation flaw and their report was dismissed.
RNCryptor's MAC validation suffers from timing leaks and type confusion vulnerabilities.
There were two symmetric cryptography strategies bundled with Friendica. One used ECB mode, the other used CBC mode. Neither implementation used encryption or authentication correctly.
Laravel 5 package for integrating with Yubikey lacked a CSPRNG for nonce generation. Furthermore, it was comparing HMAC-SHA1 signatures with PHP's == operator. We informed the maintainer and sent a pull request to fix these issues.
Laravel developers that (a) stored their session state inside of a cookie and (b) turned session encryption off were vulnerable to PHP Object Injection, which can lead to Remote Code Execution under the right conditions.
Will tomorrow bring costly and embarrassing data breaches? Or will it bring growth, success, and peace of mind?
Our team of technology consultants have extensive knowledge and experience with application security and web/application development.
We specialize in cryptography and secure PHP development.
Want the latest from Paragon Initiative Enterprises delivered straight to your inbox? We have two newsletters to choose from.
The first mails quarterly and often showcases our behind-the-scenes projects.
The other is unscheduled and gives you a direct feed into the findings of our open source security research initiatives.