SecurityWeek | April 01, 2019
A change made several months ago in an open-source JavaScript library introduced a cross-site scripting (XSS) vulnerability in Google Search and likely other Google products. Japanese security researcher Masato Kinugawa discovered what appeared to be an XSS vulnerability in Google Search. Such a security hole can pose a serious risk and it could be highly useful to malicious actors for phishing and other types of attacks. According to an analysis conducted by LiveOverflow, the XSS vulnerability was introduced by the use of a library named Closure and its failure to properly sanitize user input. Closure is a broad JavaScript library designed by Google for complex and scalable web applications. The tech giant has made the library open source and still uses it for many of its applications, including Search, Gmail, Maps and Docs. The vulnerability was apparently introduced on September 26, 2018, when someone removed a sanitization mechanism reportedly due to some user interface design issues. It was addressed on February 22, 2019, when the change made in September 2018 was reverted. Google is said to have patched the vulnerability shortly after learning of its existence. Comments posted by developers when the rollback was done confirmed that the issue was related to an HTML sanitizer and that it introduced an XSS flaw in the Google Web Server (GWS) software.
Read More
eWeek | December 13, 2018
In a bid to make its Lightning software more accessible to a broader range of developers, Salesforce announces that developers can now use the popular Web development language JavaScript to create Lightning Web Components. Companies interested in doing more with Lightning, the Salesforce application framework that underpins its customer relationship management platform, suddenly have a lot more options. On Dec. 13, Salesforce.com announced plans to let developers use JavaScript to create Lightning Web Components. Previously, Lightning developers were limited to Salesforce’s own, less widely used Aura programming model to build Lightning Components. Salesforce officials said when Lightning was launched five years ago it used the modular Aura to promote a component model because there was no clear standard for building large-scale client-side applications for the Web. Since then, JavaScript has emerged as a clear winner. “One of the core technologies powering the internet is JavaScript, which is used in 95 percent of the websites out there and IDC estimates there are 7 million JavaScript developers,” Anne DelSanto, executive vice president and general manager for Platform at Salesforce, told eWEEK. “At the same time, there’s a massive shortage of developers in the U.S., with over 250,000 jobs unfilled, and that lack of talent slows innovation. We want to make sure we are empowering companies to leverage existing skills without having to train for specific languages.
Read More
SecurityWeek | June 06, 2018
A critical and widespread arbitrary file overwrite vulnerability has been addressed in popular libraries of projects from HP, Amazon, Apache, Pivotal, and more. Dubbed Zip Slip and discovered by the Snyk Security, the vulnerability exists when the code that extracts files from an archive doesn’t validate the file paths in the archive. The security flaw was responsibly disclosed to the impacted parties starting in mid-April and is said to impact thousands of projects. The issue has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go. According to Snyk Security, Java has been impacted the most, as it lacks a central library for the high level processing of archive files. Because of that, vulnerable code snippets “were being hand crafted and shared among developer communities such as StackOverflow,” the security researchers explain. Exploitation is possible via a specially crafted archive containing directory traversal filenames. Numerous archive formats are affected by the bug, including tar, jar, war, cpio, apk, rar and 7z. “Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive,” Snyk Security explains.
Read More