gafnit

@dagrz @lancinimarco Thank you @dagrz and @__steele !

@lancinimarco @gafnitav does incredible unique research and write ups.

Who are some fresh voices in Cloud Security that I should definitely follow? I'm getting a bit bored of seeing the same set of people all the time 😅

It's on! BlueHat IL Nights is returning on June 22nd. Join us for the ultimate security bash with renowned Microsoft researcher Ned Moran, as he unveils the untold secrets of Iranian cyber operators like never before. Register now! microsoftrnd.co.il/bluehatil/Blue…

Continuing the #BingBang thread, many have asked how we found the vulnerable Bing Trivia endpoint. Let me share our unique Azure Active Directory cloud reconnaissance technique to find misconfigured authentication prompts🧵

Every once in a while a resource comes along that just oozes value. This is one of those resources by my pal Jonathan Rau. It’s a gargantuan 110 pages chocked full with code goodies and guidance. Check it out and put it into practice!

@luketucker Dana is amazing!

Cloud Security Researchers are such a rare talent. Learn about my amazing colleague Dana Tsymberg and what a day in her life at Lightspin looks like. Way more than just vuln hunting, Dana, @gafnitav and team do such great research for the benefit of all those in the cloud.

An amazing find by @Frichette_n that shows again the power of undocumented API. Many cloud security solutions including GuardDuty itself rely on the expected coverage of CloudTrail events to identify malicious activity.

@dagrz Thank you @dagrz 😊

If you are into aws security @gafnitav is a must follow — doing some of the best research I’ve seen.

@sethsec @0xdabbad00 Thank you @sethsec

@gafnitav @0xdabbad00 Great work @gafnitav!

If you could infect any image on AWS ECR Public Gallery, which one would you choose? 👀 blog.lightspin.io/aws-ecr-public…

@NightmareJS Thank you 😊

@gafnitav is a treasure! This is so badass

@feralninja1 That's a good question. Usually that happens when some functionality was supported in the past, they decided to remove it, but forgot to remove the hardcoded trusted domain from the JavaScript.

@gafnitav Why do you think that cloudshell-df.azurewebsites.net was not already registered when they hardcoded it in the code to be trusted? A possible mistake from a developer perhaps? Or am I misunderstanding? I mean, that's a pretty big ooops obviously. :)

✅Browse to cloudshell-df.azurewebsites.net ✅Inject victim's localStorage ✅Execute commands in victim's Cloud Shell terminal ✅Download payload ✅Steal access token Read the full vulnerability story of Azure Cloud Shell blog.lightspin.io/azure-cloud-sh…

The proactive community engagement by @notdurson of AWS security is a huge asset to the trust us cloudsec folks have in AWS. Thank you.

@christophetd Neither. If the signed token already includes the cluster id you cannot use it for other clusters. The idea was to show how in crafted token the validation can be bypassed.

@gafnitav The impact of (2) is unclear to me. Assuming I have a valid token for a cluster in a specific AWS account, can I (a) use that to authenticate to another cluster in the same account? (b) another cluster in a different account?

Exploiting AWS IAM Authenticator by crafting malicious signed STS GetCallerIdentity request. 👉CVE-2022-2385 blog.lightspin.io/exploiting-eks…

@luketucker Lucky working with you as well :) thanks for sharing!

Kubernetes security is notoriously complex and the number of talented security researchers in this space is limited. @gafnitav is an amazingly talented hacker that I'm lucky to work with at Lightspin. Check out her latest find in the full technical writeup.

@_fel1x @0xdabbad00 Thank you for writing such detailed post on the HashiCorp Vault vuln. It was very helpful.

@0xdabbad00 Nice catch by @gafnitav 👍 Demonstrates how tricky that attack surface is.

Interesting to see this still had another issue after @_fel1x had found one issue in the same code: bugs.chromium.org/p/project-zero… which was a derivative of his finding in Hashicorp Vault googleprojectzero.blogspot.com/2020/10/ and a second look had happened at this code github.com/kubernetes-sig…

Recent vulnerabilities in Kubernetes NGINX Ingress Controller with details of CVE-2021-25745, CVE-2021-25748. Inspired by Mitch Hulscher CVE-2021-25742. blog.lightspin.io/kubernetes-ngi…

@luketucker @NahamSec 🫣

Speaker green room happenings at #PurpleCloudSummit @NahamSec and @gafnitav hacking + a little bug show and tell!

@AzarzarOr @jasonadyke crazy!

@jasonadyke @gafnitav 😳