Hello and welcome to the Wednesday, November 26, 2025
edition of the SANS Internet Stormcenter's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu Undergraduate Certificate Program in
Cybersecurity Fundamentals. And just as a reminder, this
is the last podcast for this week, given the Thanksgiving
holiday coming up. CISA published a quick announcement
here that they're seeing some attacks against messaging
applications. The attacks themselves are not new.
They're really sort of highlighting three different
attacks here. One is the use of QR codes, which sometimes
can be used in order to trick a victim into adding an
attacker's device to their account. And then of course,
that attacker device does have access to your messages, even
in some cases for end-to-end encrypted applications. Also,
the exploitation of bugs in the application itself. That's
then sort of in some cases, these very dangerous serial
click attacks. iMessage, WhatsApp in the past have been
hit by these vulnerabilities. And lastly, also, well, that's
probably the hardest to defend against, impersonation, where
someone is just claiming to be a different person in a
messaging app. So always be careful to verify who you are
talking to. I just want to point out something that isn't
sort of explicitly stated here. They're talking about
WhatsApp Signal. Signal in particular being famous for
its very robust end-to-end encryption. Just remember, end
-to-end encryption means that at the end, the messages are
still readable. So if the attacker does have access to
like a keystroke logger or the ability to take screenshots,
then usually that end-to-end encryption doesn't really do
much, even if the application is rather careful in how
they're dealing with these messages on the end-user
system, like how they're then encrypting them. Well, then we
have some interesting research from Watchtower again. And
this time it's for a change, not an easily exploitable
vulnerability in some kind of enterprise endpoint security
device. Instead, it's, well, basically users shooting
themselves in the foot by posting company secrets like
passwords into public accessible websites. Now, why
would you do this? We're not talking about phishing here.
The problem is websites like, and they're mentioning here as
example, for example, a JSON pretty fire website basically
makes JSON look prettier. Well, people just post company
data into these websites, and then they get the prettier
version of JSON. Personally, jq always did a great job with
that for me, and usually I don't really care how pretty
my JSON looks. But in particular with the JSON
pretty fire, and you also have like a code pretty fire
website, it works very similar. There is an option to
save the data that you just posted on the website. But
there should be a hint that this is not secure, because it
never really asks you to set up an account account for that
website. It's really sort of more like a pastebin like
system. And these snippets that people are storing are
easily recovered by anybody who is just guessing the ID.
So this, as Watchtower found out, led to thousands of
secrets being leaked from very big companies, including some
security companies. They're not naming any victims here,
but pretty obvious that a large number of companies are
affected by this. And of course, the websites they're
pointing out here are certainly not the only
websites like this that are performing actions like this.
Well, for the first part, you should never really post data
like this into a random website. And then always look
for an alternative. Like I mentioned, JQ does, in my
opinion, a very nice job in formatting JSON. Pretty many
IDEs are doing a good job in prettifying code snippets. And
local solution is usually preferred here, like as
another example here that's not mentioned here, but the
famous Cyber Chef that is being used to resolve various
encodings. Well, it's written to actually work on the client
exclusively. And you can just download that JavaScript. And
well, we all trust GCHQ. So they probably won't send it
off anywhere where it's not supposed to go. And as long as
you deal with these tools locally, well, you don't have
the problem of leaking your secret data. And talking about
trusting other people's system, of course, the cloud
is a system that we happily throw all of our most secret
data into, hoping that by paying a lot of money, they
keep it somewhat secure. Well, many of these cloud providers
are using FluentBit, a platform that's being used to
manage their cloud environments. And you have a
couple new serious vulnerabilities here, nothing
you really have or can do about it. So don't worry about
it. Just hope that your cloud provider applied the fixes in
case you're using it internally, which is unlikely,
but possible. Well, please, please update. Well, and
that's it for today. So thanks again for listening. Hope
everybody in the US has a good Thanksgiving. And the next
podcast will be on Monday. Bye. Bye. Bye. Bye. Bye. Bye.
Bye. Thank you.
