Snyk Security Labs ブログ アーカイブ

Gitpod における WebSocket を介したリモートコード実行のゼロデイ脆弱性

この投稿では、クラウド開発環境 (CDE) に関する Snyk の最新調査の結果を発表します。それは、リンクへのアクセス、一般的に誤解されている脆弱性 (WebSocket ハイジャック) の悪用、実質的な SameSite cookie バイパスの活用を通じて、アカウントが完全に乗っ取られるという結果でした。

Breaking down the ’critical’ OpenSSL vulnerability

In this post we’ll break down the two OpenSSL vulnerabilities, look at whether or not the level of attention this received is warranted, and how concerned we should actually be.

Phony PyPi package imitates known developer

A recent interesting finding in the Python Package Index (PyPi) attempted to imitate a known open source developer through identity spoofing. Upon further analysis, the team uncovered that the package, raw-tool, was attempting to hide malicious behavior using base64 encoding, reaching out to malicious servers, and executing obfuscated code. In this post, we’re going to take a deeper look at that vulnerability, but first let’s take a look at how our researchers discovered it.

Snyk、Discord と Roblox の認証情報と支払い情報を盗み出す PyPi マルウェアを発見

Discord や Roblox のユーザーから認証情報や決済情報を盗み出そうとする、新たに発見された PyPi マルウェアについてご説明します。

Mitigating and remediating intent-based Android security vulnerabilities

In part 3 of this series, we wrap things up by offering recommendations for mitigating and remediating intent-based Android security vulnerabilities. We also go over advice directly from Google Play.

Hunting intent-based Android security vulnerabilities with Snyk Code

We used Snyk Code to hunt for intent-based Android security vulnerabilities across 10,000 popular apps on Google Play. Learn about what we found.

Deep dive into Visual Studio Code extension security vulnerabilities

Snyk has found severe vulnerabilities in popular VS Code extensions, enabling attackers to compromise local machines as well as build and deployment systems through a developer’s IDE. Learn how they work and how to protect your code.

Exploring intent-based Android security vulnerabilities on Google Play

Intents are used by internal components to communicate with each other as well as to access exported components of other applications, which opens the door for malicious attacks. In this post, we’ll explore intent-based Android security vulnerabilities to see why and how they work.