The SourceClear Blog

Rails GEMS Vulnerable to CSRF Show Vulnerability Disclosure in Open-Source Projects Needs a Re-Think

Posted By: Ang Ming Yi and Mark Curphey
March 20, 2017

Four weeks ago, we blogged about the issue with Rails’ built-in anti-CSRF mechanism, protect_from_forgery, where we calculated that over 50,000 Ruby developers were impacted by Cross-site Request Forgery (CSRF) attacks.


Monocultures and security - Stormy times ahead

Posted By: Mark Curphey
March 6, 2017

In the 1990’s we saw viruses and worms proliferate across the Windows platform until the problem became so bad that Bill Gates had to stop shipping and fundamentally change the way Microsoft built software.


SourceClear Original Vulnerabilities - Now available exclusively to paid (Pro) customers

Posted By: Jim Morrisroe
March 3, 2017

Since May 2016, when SourceClear released the free version of SourceClear (Open), we have discovered and released over 910 unique vulnerabilities in open source libraries that did not have a CVE at the time of publication, including 72 high risk vulnerabilities. The majority of these issues we call “half-days” , vulnerabilities that are not found in any other public database or identified with any other security tool besides SourceClear. You can see the stats behind our research here.


Over 50,000 Ruby developers impacted by CSRF attacks

Posted By: Ang Ming Yi, Darius Foo, Jason Yeo
February 22, 2017

There’s been some buzz recently about protect_from_forgery, Rails’ built-in anti-CSRF mechanism, and how it’s not secure by default. Having found, evaluated, disclosed, and tried to fix issues with it in the past, we decided to perform a thorough evaluation of how severe the problem was.


Authentication Updates

Posted By: Alex Ethier
January 30, 2017

We’re pleased to announce the release of two important authentication features


Millions of program builds vulnerable to Man-in-the-Middle attacks

Posted By: Ming
January 16, 2017

According to a blog post made on 18f, it is a standard to ensure all federal websites and web services to serve only via secured connections (HTTPS). Yet in its recent study, about 6.1% of the domains do not have HTTPS enabled. Package managers have, in the past, deprecate certain commands/features that defaults to HTTP. RubyGems has deprecated source :rubygems in Gemfile due to the insecurity of HTTP, and recommends the explicit use of HTTPS.

In this post, we will highlight the issues of insecure network connection(s) made by open-source libraries during build time. Also, we introduce an open-source monitoring tool, Build Inspector, that can be used to detect insecure network traffic made during the build process. Finally, we analyze the number of affected builds from a sample pool of open-source repositories.


Rails_admin Vulnerability Disclosure

Posted By: Jason Yeo
December 25, 2016

A few days ago, I found a CSRF vulnerability in rails_admin. rails_admin is a Ruby gem that generates administrative interfaces for your models automatically. Interestingly, this vulnerability is similar in nature to the one I found in administrate, a similar gem. Additionally, past Ruby gems affected in a similar fashion can be explored at this link.


The Ransomware in our Dependencies

Posted By: Darius Foo & Steve Ng
November 30, 2016

Ransomware is a growing pernicious threat. Some ransomeware called ‘Locky’ was recently discovered spreading through Facebook Messenger, and just last weekend San Francisco’s light-rail system was compromised by ransomware. Today we’ll take an in-depth look at how ransomware can target developers, proliferating through library dependencies.


The biggest SourceClear release yet!

Posted By: Brian Doll
November 21, 2016

We’ve got a present for you this week. This is the biggest release of SourceClear since we launched, and we can’t wait for you to dive in. Thanks to everyone who’s ideas and feedback have helped shape this release, and a special thank you to all of our beta testers who have shown us how crucial SourceClear is in helping teams build secure software.

If you’re not using SourceClear yet, today is a great day to sign up. Here is a rundown of all the new features being released today:


Abusing npm libraries for data exfiltration

Posted By: Asankhaya Sharma
November 11, 2016

Package and dependency managers like npm allow command execution as part of the build process. Command execution provides an easy and convenient mechanism for developers to script tasks during the build. For instance, npm allows developers to use pre-install and post-install hooks to execute tasks. A pre-install hook can be used to compile some dependent native library before starting the build. A post-install hook can be used for clean up after the build.

In this blog post, we demonstrate how an attacker can use npm to exfiltrate information from the developer’s machine. Although we show the attack scenarios for npm, similar attacks can also be done on other package managers like gradle.

Page 1 of 22 >