Three years ago, #FDroid had a similar kind of attempt as the #xz#backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn’t found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection#vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now
Steiner wrote this week that the original coder deleted their account as soon as F-Droid’s maintainers attempted to review the code, and that he thinks that the user’s behavior, as well as “all the attention from random new accounts” has led him to believe “it could be a deliberate attempt to insert the vuln.”
This is pretty significant: the first documented case of these tactics being used to insert a vulnerability, apart from xz. So probably the same actors have been trying this on multiple projects.
I hope other maintainers who have experienced similar pressure tactics will come forward, even if they’re not aware of any backdoors. For any project where this has taken place and the code was merged, the code and commit history needs to be audited.
Three years ago, #FDroid had a similar kind of attempt as the #xz#backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection#vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now
🚨 A new hacker group, #GambleForce, is behind a string of #SQLinjection attacks across Asia-Pacific. Learn how they use basic techniques to steal sensitive data.
.NET developers: is there any indication that parameterized SQL queries using System.Data.SqlClient.SqlCommand do not protect against SQL injection?
A new developer on a project believes that it's necessary to detect and block parameterized queries if their parameters contain SQL keywords, otherwise the database can potentially execute them as SQL. I cannot find evidence of this, or reproduce it.
Do parameterized queries have known vulnerabilities?
>The Government of Nova Scotia, which uses MOVEit to share files across departments, also confirmed it was affected, and said in a statement that some citizens’ personal information may have been compromised. However, in a message on its leak site, Clop said, “if you are a government, city or police service… we erased all your data.”
How in the hell do you still have #SQLInjection vulnerable frontends in this day and age in government-used systems? Has no one heard of #PreparedQueries and #StoredProcedures? What, did they hire some intern with no supervision for writing a high-liability system?
Bullying in Open Source Software Is a Massive Security Vulnerability (www.404media.co)