Attack of the clones 2: Git CLI remote code execution strikes back

Introduction This post is the second part of the story of a vulnerability that could be leveraged as a supply chain attack and used to hack millions of software developers around the world. We will describe all details about CVE-2020-26233, a vulnerability affecting all versions below 2.0.280 of Git Credential Manager Core in Github CLI […]

Security advisory: Mattermost Mobile for iOS v1.31.0 Authentication Token Leakage and Account Takeover

Advisory information Title: Mattermost Mobile for iOS Authentication Token Leakage and Account Takeover Advisory reference: BLAZE-05-2020 Product: Mattermost Mobile Client for iOS v1.31.0 (Build 293) CVE reference: CVE-2020-13891 Vendor reference: MMSA-2020-0022 Disclosure mode: Coordinated disclosure Product description Mattermost is a flexible, open source messaging platform that enables secure team collaboration. The product is used in […]

Security advisory: Mullvad VPN client for Windows 2020.3 local privilege escalation

Advisory information Title: Mullvad VPN client for Windows 2020.3 local privilege escalation Advisory reference: BLAZE-03-2020 Product: Mullvad 2020.3 for Windows CVE reference: CVE-2020-14197 Disclosure mode: Coordinated Product description Mullvad is a Sweden-based VPN provider with a strong focus on privacy. It has been in business for over 10 years and has a track record in […]

Security advisory: i2p for Windows local privilege escalation

Advisory information Title: i2p for Windows local privilege escalation Advisory reference: BLAZE-02-2020 Product: i2p 0.7.5 to 0.9.45 for Windows CVE reference: CVE-2020-13431 Disclosure mode: Coordinated Product description i2p (The Invisible Internet Project) is an anonymous network, exposing a simple layer that applications can use to anonymously and securely send messages to each other. Frequently, I2P […]

Security advisory: Telegram instant messenger IDN homograph attack

Advisory information Title: Telegram instant messenger IDN homograph attacks Advisory reference: BLAZE-02-2019 (CVE-2019-10044) Product: Telegram Disclosure mode: Coordinated disclosure Product description Telegram is a messaging app with a focus on speed and security, it’s super-fast, simple and free. You can use Telegram on all your devices at the same time — your messages sync seamlessly […]

Security advisory: Signal IDN homograph attack

Advisory information Title: Signal IDN homograph attacks Advisory reference: BLAZE-01-2019 (CVE-2019-9970) Product: Signal Disclosure mode: Coordinated disclosure Product description Signal is an encrypted communications app for Android and iOS. A desktop version is also available for Linux, Windows, and macOS. It uses the Internet to send one-to-one and group messages, which can include files, voice […]

Security advisory: Porteus Kiosk security restrictions bypass

Advisory information Title: Porteus Kiosk security restrictions bypass Advisory reference: BLAZE-01-2017 Product: Porteus Kiosk Disclosure mode: Coordinated disclosure Product description Porteus Kiosk is a popular lightweight Linux designed to be used as a kiosk solution. It implements several restrictions with the intent to prevent malicious users to modify the configuration of the Firefox browser and […]