Posts Tagged ‘DefCon32’
[DefCon32] Taming the Beast: Inside Llama 3 Red Team Process
As large language models (LLMs) like Llama 3, trained on 15 trillion tokens, redefine AI capabilities, their risks demand rigorous scrutiny. Alessandro Grattafiori, Ivan Evtimov, and Royi Bitton from Meta’s AI Red Team unveil their methodology for stress-testing Llama 3. Their process, blending human expertise and automation, uncovers emergent risks in complex AI systems, offering insights for securing future models.
Alessandro, Ivan, and Royi explore red teaming’s evolution, adapting traditional security principles to AI. They detail techniques for discovering vulnerabilities, from prompt injections to multi-turn adversarial attacks, and assess Llama 3’s resilience against cyber and national security threats. Their open benchmark, CyberSecEvals, sets a standard for evaluating AI safety.
The presentation highlights automation’s role in scaling attacks and the challenges of applying conventional security to AI’s unpredictable nature, urging a collaborative approach to fortify model safety.
Defining AI Red Teaming
Alessandro outlines red teaming as a proactive hunt for AI weaknesses, distinct from traditional software testing. LLMs, with their vast training data, exhibit emergent behaviors that spawn unforeseen risks. The team targets capabilities like code generation and strategic planning, probing for exploits like jailbreaking or malicious fine-tuning.
Their methodology emphasizes iterative testing, uncovering how helpfulness training can lead to vulnerabilities, such as hallucinated command flags.
Scaling Attacks with Automation
Ivan details their automation framework, using multi-turn adversarial agents to simulate complex attacks. These agents, built on Llama 3, attempt tasks like vulnerability exploitation or social engineering. While effective, they struggle with long-form planning, mirroring a novice hacker’s limitations.
CyberSecEvals benchmarks these risks, evaluating models across high-risk scenarios. The team’s findings, shared openly, enable broader scrutiny of AI safety.
Cyber and National Security Threats
Royi addresses advanced threats, including attempts to weaponize LLMs for cyberattacks or state-level misuse. Tests reveal Llama 3’s limitations in complex hacking, but emerging techniques like “obliteration” remove safety guardrails, posing risks for open-weight models.
The team’s experiments with uplifting non-expert users via AI assistance show promise but highlight gaps in achieving expert-level exploits, referencing Google’s Project Naptime.
Future Directions and Industry Gaps
The researchers advocate integrating security lessons into AI safety, emphasizing automation and open-source collaboration. Alessandro notes the psychological toll of red teaming, handling extreme content like nerve gas research. They call for more security experts to join AI safety efforts, addressing gaps in testing emergent risks.
Their work, supported by CyberSecEvals, sets a foundation for safer AI, urging the community to explore novel vulnerabilities.
Links:
[DefCon32] Securing CCTV Cameras Against Blind Spots
As CCTV systems underpin public safety, their vulnerabilities threaten to undermine trust. Jacob Shams, a security researcher, exposes a critical flaw in object detection: location-based confidence weaknesses, or “blind spots.” His analysis across diverse locations—Broadway, Shibuya Crossing, and Castro Street—reveals how pedestrian positioning impacts detection accuracy, enabling malicious actors to evade surveillance. Jacob’s novel attack, TipToe, exploits these gaps to craft low-confidence paths, reducing detection rates significantly.
Jacob’s research spans five object detectors, including YOLOv3 and Faster R-CNN, under varied lighting conditions. By mapping confidence levels to position, angle, and distance, he identifies areas where detection falters. TipToe leverages these findings, offering a strategic evasion tool with implications for urban security and beyond.
The study underscores the need for robust CCTV configurations, urging developers to address positional biases in detection algorithms to safeguard critical infrastructure.
Understanding Blind Spots
Jacob’s experiments reveal that pedestrian position—distance, angle, height—affects detector confidence by up to 0.7. Heatmaps from lab and real-world footage, including Shibuya Crossing, highlight areas of low confidence, persisting across YOLOv3, SSD, and others. These blind spots, independent of video quality or lighting, create exploitable gaps.
For instance, at Shibuya, TipToe reduces average path confidence by 0.16, enabling stealthy movement. This phenomenon, consistent across locations, exposes systemic flaws in current detection models.
The TipToe Evasion Attack
TipToe constructs minimum-confidence paths through CCTV scenes, leveraging positional data to minimize detection. Jacob demonstrates its efficacy, achieving significant confidence reductions in public footage. Unlike invasive methods like laser interference, TipToe requires no suspicious equipment, relying solely on strategic positioning.
This attack highlights the ease of exploiting blind spots, urging integrators to reassess camera placement and algorithm tuning.
Mitigating Detection Weaknesses
Jacob proposes recalibrating object detectors to account for positional variances, enhancing confidence in weak areas. Multi-angle camera setups and advanced models could further reduce blind spots. His open-source tools encourage community validation, fostering improvements in surveillance security.
The research calls for a paradigm shift in CCTV design, prioritizing resilience against evasion tactics to protect public spaces.
[DefCon32] Smishing Smackdown: Unraveling the Threads of USPS Smishing and Fighting Back
In an era where digital scams proliferate, SMS phishing, or smishing, has surged, exploiting trust in institutions like the United States Postal Service (USPS). S1nn3r, a red team operator and founder of Phantom Security Group, recounts her journey tackling the “Smishing Triad,” a sophisticated operation distributing scam kits. Motivated by personal encounters with these fraudulent texts, S1nn3r’s investigation uncovers vulnerabilities in the kits, enabling access to their admin panels and exposing over 390,000 stolen credit card details across 900 domains.
S1nn3r’s expertise in web application testing, honed through bug bounties, drives her to reverse-engineer these kits. Collaborating with peers, she identifies two critical flaws, granting entry to administrative interfaces. This access reveals not only victim data but also scammer details like login IPs and passwords. Her findings, shared with banks and the USPS Inspector’s Office, aid in protecting nearly 880,000 victims, highlighting the power of proactive cybersecurity.
The talk illuminates the technical ingenuity behind smishing campaigns and offers strategies to combat them, emphasizing client-side filtering to thwart future attacks.
Anatomy of the Smishing Triad
S1nn3r begins by dissecting the USPS smishing campaign, which spiked during the holiday season. These messages, mimicking USPS alerts, lure users to fraudulent sites via links. The Smishing Triad’s kit, a scalable tool sold to scammers, automates these attacks, capturing credentials and financial data.
Through meticulous analysis, S1nn3r uncovers the kit’s structure, leveraging web vulnerabilities to infiltrate admin panels. This access exposes databases containing victim information, revealing the campaign’s vast reach.
Exploiting Kit Vulnerabilities
The investigation reveals two pivotal weaknesses: insecure authentication and misconfigured APIs. By exploiting these, S1nn3r gains administrative control, extracting data from over 40 panels. This includes scammer metadata, such as IPs and cracked passwords, offering insights into their operations.
Her collaboration with a Wired journalist and law enforcement underscores the real-world impact, linking stolen credit cards to specific scams. This evidence strengthens investigations, despite challenges in victim identification.
Countermeasures and Future Defenses
S1nn3r advocates enhanced client-side filtering, suggesting AI-driven solutions to detect suspicious texts. Third-party integrations, like Truecaller, offer practical defenses by flagging non-official USPS links. She cautions against man-in-the-middle attacks on SMS, emphasizing scalable, user-friendly protections.
Her work, shared via open-source tools, invites further research to dismantle smishing ecosystems, urging collective action against evolving scams.
Links:
[DefCon32] QuickShell: Sharing Is Caring About RCE Attack Chain on QuickShare
In the interconnected world of file sharing, Google’s QuickShare, bridging Android and Windows, presents a deceptively inviting attack surface. Or Yair and Shmuel Cohen, researchers at SafeBreach, uncover ten vulnerabilities, culminating in QuickShell, a remote code execution (RCE) chain exploiting five flaws. Their journey, sparked by QuickShare’s Windows expansion, reveals logical weaknesses that enable file writes, traffic redirection, and system crashes, culminating in a sophisticated RCE.
Or, a vulnerability research lead, and Shmuel, formerly of Check Point, dissect QuickShare’s Protobuf-based protocol. Initial fuzzing yields crashes but no exploits, prompting a shift to logical vulnerabilities. Their findings, responsibly disclosed to Google, lead to patches and two CVEs, addressing persistent Wi-Fi connections and file approval bypasses.
QuickShare’s design, facilitating seamless device communication, lacks robust validation, allowing attackers to manipulate file transfers and network connections. The RCE chain combines these flaws, achieving unauthorized code execution on Windows systems.
Protocol Analysis and Fuzzing
Or and Shmuel begin with QuickShare’s protocol, using hooks to decode Protobuf messages. Their custom fuzzer targets the Windows app, identifying crashes but lacking exploitable memory corruptions. This pivot to logical flaws uncovers issues like unauthenticated file writes and path traversals, exposing user directories.
Tools built for device communication enable precise vulnerability discovery, revealing weaknesses in QuickShare’s trust model.
Vulnerability Discoveries
The researchers identify ten issues: file write bypasses, denial-of-service (DoS) crashes, and Wi-Fi redirection via crafted access points. Notable vulnerabilities include forcing file approvals without user consent and redirecting traffic to malicious networks.
A novel HTTPS MITM technique amplifies the attack, intercepting communications to escalate privileges. These flaws, present in both Android and Windows, highlight systemic design oversights.
Crafting the RCE Chain
QuickShell chains five vulnerabilities: a DoS to destabilize QuickShare, a file write to plant malicious payloads, a path traversal to target system directories, a Wi-Fi redirection to control connectivity, and a final exploit triggering RCE. This unconventional chain leverages seemingly minor bugs, transforming them into a potent attack.
Demonstrations show persistent connections and code execution, underscoring the chain’s real-world impact.
Takeaways for Developers and Defenders
Or and Shmuel emphasize that minor bugs, often dismissed, can cascade into severe threats. The DoS flaw, critical to their chain, exemplifies how non-security issues enable attacks. They advocate holistic security assessments, beyond memory corruptions, to evaluate logical behaviors.
Google’s responsive fixes, completed by January 2025, validate the research’s impact. The team’s open-source tools invite further exploration, urging developers to prioritize robust validation in file-sharing systems.
Links:
[DefCon32] Windows Downdate: Downgrade Attacks Using Windows Updates
The notion of a “fully patched” system crumbles under the weight of downgrade attacks, as revealed by Alon Leviev, a self-taught security researcher at SafeBreach. His exploration of Windows Updates uncovers a flaw allowing attackers to revert critical components—DLLs, drivers, kernels, and virtualization stacks—to vulnerable versions, bypassing verification and exposing privilege escalations. Alon’s tool, Windows Downdate, renders the term “updated” obsolete, compromising systems worldwide.
Alon, a former Brazilian Jiu-Jitsu champion, leverages his expertise in OS internals and reverse engineering to dissect Windows Update mechanisms. Inspired by the BlackLotus UEFI bootkit, which bypassed Secure Boot via downgrades, he investigates whether similar vulnerabilities plague other components. His findings reveal a systemic design flaw, enabling unprivileged attackers to manipulate updates and disable protections like Virtualization-Based Security (VBS).
The implications are profound: downgraded systems report as fully updated, evade recovery tools, and block future patches, leaving them exposed to thousands of known vulnerabilities.
BlackLotus and the Downgrade Threat
Alon traces the research to BlackLotus, which exploited a patched Secure Boot flaw by reverting components. Secure Boot verifies boot chain signatures, but BlackLotus’s downgrade bypassed this, prompting Alon to probe Windows Updates for similar weaknesses.
He discovers that update packages, lacking robust validation, allow crafted downgrades. By manipulating update manifests, attackers revert critical files, exploiting old vulnerabilities without triggering alerts.
Compromising the Virtualization Stack
Targeting Hyper-V, Secure Kernel, and Credential Guard, Alon achieves downgrades that expose privilege escalations. VBS, designed to isolate sensitive operations, relies on UEFI locks, yet his methods disable these protections, a first in known research.
The attack exploits design flaws allowing less privileged rings to update higher ones, a remnant since VBS’s 2015 debut. Demonstrations show downgraded hypervisors, undermining Windows’ security architecture.
Restoration Vulnerabilities
A secondary flaw in update restoration scenarios amplifies the threat. Unprivileged users can trigger rollbacks, embedding malicious updates that persist across reboots. Recovery tools fail to detect these, as the system registers as compliant.
Alon’s Windows Downdate tool automates this, crafting updates that downgrade entire systems, from drivers to kernels, without administrative rights.
Industry Implications and Mitigations
The research exposes a gap in downgrade attack awareness. Alon urges thorough design reviews, emphasizing that unexamined surfaces, like update mechanisms, harbor risks. Linux and macOS may face similar threats, necessitating preemptive scrutiny.
Mitigations include enhanced validation, privilege restrictions, and monitoring for anomalous updates. His findings, shared responsibly with Microsoft, highlight the need for systemic changes to restore trust in patching.
Links:
[DefCon32] Your AI Assistant Has a Big Mouth: A New Side-Channel Attack
As AI assistants like ChatGPT reshape human-technology interactions, their security gaps pose alarming risks. Yisroel Mirsky, a Zuckerman Faculty Scholar at Ben-Gurion University, alongside graduate students Daniel Eisenstein and Roy Weiss, unveils a novel side-channel attack exploiting token length in encrypted AI responses. Their research exposes vulnerabilities in major platforms, including OpenAI, Microsoft, and Cloudflare, threatening the confidentiality of personal and sensitive communications.
Yisroel’s Offensive AI Research Lab focuses on adversarial techniques, and this discovery highlights how subtle data leaks can undermine encryption. By analyzing network traffic, they intercept encrypted responses, reconstructing conversations from medical queries to document edits. Their findings, disclosed responsibly, prompted swift vendor patches, underscoring the urgency of securing AI integrations.
The attack leverages predictable token lengths in JSON responses, allowing adversaries to infer content despite encryption. Demonstrations reveal real-world impacts, from exposing personal advice to compromising corporate data, urging a reevaluation of AI security practices.
Understanding the Side-Channel Vulnerability
Yisroel explains the attack’s mechanics: AI assistants transmit responses as JSON objects, with token lengths correlating to content size. By sniffing HTTPS traffic, attackers deduce these lengths, mapping them to probable outputs. For instance, a query about a medical rash yields distinct packet sizes, enabling reconstruction.
Vulnerable vendors, unaware of this flaw until February 2025, included OpenAI and Quora. The team’s tool, GPTQ Logger, automates traffic analysis, highlighting the ease of exploitation in unpatched systems.
Vendor Responses and Mitigations
Post-disclosure, vendors acted decisively. OpenAI implemented padding to the nearest 32-byte value, obscuring token lengths. Cloudflare adopted random padding, further disrupting patterns. By March 2025, patches neutralized the threat, with five vendors offering bug bounties.
Yisroel emphasizes simple defenses: random padding, fixed-size packets, or increased buffering. These measures, easily implemented, prevent length-based inference, safeguarding user privacy.
Implications for AI Security
The discovery underscores a broader issue: AI services, despite their sophistication, inherit historical encryption pitfalls. Yisroel draws parallels to past side-channel attacks, where minor details like timing betrayed secrets. AI’s integration into sensitive domains demands rigorous security, akin to traditional software.
The work encourages offensive research to uncover similar weaknesses, advocating AI’s dual role in identifying and mitigating vulnerabilities. As new services emerge, proactive design is critical to prevent data exposure.
Broader Call to Action
Yisroel’s team urges the community to explore additional side channels, from compression ratios to processing delays. Their open-source tools invite further scrutiny, fostering a collaborative defense against evolving threats.
This research redefines AI assistant security, emphasizing meticulous data handling to protect user trust.
Links:
[DefCon32] 1 for All, All for WHAD: Wireless Shenanigans Made Easy
In the ever-evolving landscape of wireless security, the proliferation of bespoke tools for protocol attacks creates a fragmented ecosystem. Romain Cayre and Damien Cauquil, seasoned researchers from Quarkslab, introduce WHAD, a unifying framework designed to streamline wireless hacking. By offering a standardized host/device communication protocol, WHAD enhances interoperability across diverse hardware, liberating researchers from the constraints of proprietary firmware. Their presentation unveils a solution that fosters collaboration and innovation, making wireless exploits more accessible and sustainable.
Romain, maintainer of the Mirage tool for Bluetooth and beyond, and Damien, creator of BtleJack, share a passion for dissecting wireless protocols. Their work addresses a critical pain point: the reliance on specialized, often obsolete hardware for attacks on smartphones, peripherals, and vehicles. WHAD consolidates these efforts, supporting protocols like Bluetooth Low Energy (BLE), Zigbee, and Logitech Unifying, while enabling researchers to focus on exploits rather than hardware compatibility.
The framework’s extensible architecture allows seamless integration with devices like Nordic nRF boards, ensuring longevity as hardware evolves. By presenting WHAD’s capabilities through practical demonstrations, Romain and Damien showcase its potential to transform wireless security research.
The Problem with Wireless Tools
Wireless security tools, while effective, often tie researchers to specific hardware and custom protocols. Damien highlights the chaos of tools like BtleJack, Mirage, and GATTacker, each requiring unique firmware and communication methods. This fragmentation forces researchers to reinvent protocols, limiting scalability and accessibility.
WHAD addresses this by providing a unified protocol stack, abstracting hardware complexities. It supports multiple devices through a single interface, reducing the need for redundant development. For instance, a researcher targeting BLE can use WHAD with any compatible dongle, avoiding the need to craft bespoke firmware.
WHAD’s Architecture and Capabilities
Romain details WHAD’s modular design, comprising a host-side Python library and device-side firmware. The framework supports sniffing, injection, and interaction across protocols. Demonstrations include BLE relay attacks, where WHAD discovers services and manipulates devices like smart bulbs, altering colors or states.
Its flexibility extends to hardware CTFs, with WHAD emulating BLE challenges and LoRa gateways. Integration with tools like Scapy enhances packet manipulation, while firmware availability on GitHub encourages community contributions.
Real-World Applications and Impact
Damien shares WHAD’s internal use at Quarkslab, where it facilitated a BLE GATT fuzzer, uncovering CVEs in expressive controllers. Research into screaming channel attacks leveraged WHAD to instrument custom link-layer traffic, showcasing its versatility.
The framework’s open-source release, available via PyPI and GitHub, invites contributions for new protocols and hardware support. Romain emphasizes its role in democratizing wireless research, reducing barriers for newcomers and veterans alike.
Future Potential and Community Engagement
WHAD’s vision extends beyond current protocols, with plans to incorporate emerging standards. By fostering a collaborative ecosystem, Romain and Damien aim to unify disparate tools, ensuring resilience against hardware obsolescence.
Their call for contributors underscores the community-driven ethos, encouraging bug reports, documentation, and firmware development. WHAD’s potential lies in its adaptability, empowering researchers to explore new attack surfaces efficiently.
Links:
[DefCon32] MaLDAPtive: Obfuscation and De-Obfuscation
Directory services, foundational to enterprise security, harbor overlooked evasion potentials. Daniel Bohannon and Sabajete Elezaj unveil MaLDAPtive, a framework born from exhaustive LDAP research. Daniel, a principal threat researcher at Permiso Security, and Sabajete, a senior cyber security engineer at Solaris SE, dissect obfuscation techniques across LDAP elements, empowering both attackers and defenders.
Their journey traces Active Directory’s evolution since 2000, intertwined with LDAP’s protocol roots from the 1980s. Tools like BloodHound amplified LDAP’s offensive utility, yet detection lags, often signature-bound in costly solutions.
MaLDAPtive, a 2,000-hour endeavor, features a custom tokenizer and parser, enabling unprecedented obfuscation and de-obfuscation. They categorize techniques: distinguished name manipulations via encodings, attribute tricks with wildcards, and filter obfuscations leveraging operators.
Historical Context and LDAP Components
Daniel recounts LDAP’s standardization in 1993, with Active Directory adopting it in 2000. Queries comprise bases, scopes, filters—ripe for evasion.
Distinguished names (DNs) encode via UTF-8, hex, or escapes, bloating logs. Attributes exploit aliases like “cn” for “name,” while filters layer parentheses and negations.
Their parser tokenizes queries, revealing incompatibilities undocumented elsewhere.
Advanced Obfuscation Techniques
Sabajete details filter intricacies: extensible matches with OIDs, reversing attributes for efficiency. They uncover zero-padding in OIDs, undocumented wildcards in values.
Tool-generated examples expose anomalies, like hex encoding bans in certain filters. MaLDAPtive automates these, generating evasive queries while preserving semantics.
Defensively, de-obfuscation normalizes queries, aiding detection. They critique static signatures, advocating behavioral analytics.
Detection and Framework Release
MaLDAPtive’s detection module identifies anomalies via token analysis, flagging excessive nesting or encodings.
Demonstrations showcase obfuscated queries evading simplistic tools, yet normalized by their framework.
Releasing openly, they equip communities to fortify defenses, transforming LDAP from lightweight to robustly secured.
Their work bridges offensive ingenuity with defensive resilience, urging deeper protocol scrutiny.
Links:
[DefCon32] Open Sesame: How Vulnerable Is Your Stuff in Electronic Lockers?
In environments where physical security intersects with digital convenience, electronic lockers promise safeguard yet often deliver fragility. Dennis Giese and Braelynn, independent security researchers, scrutinize smart locks from Digilock and Schulte-Schlagbaum AG (SAG), revealing exploitable weaknesses. Their analysis spans offices, hospitals, and gyms, where rising hybrid work amplifies reliance on shared storage. By demonstrating physical and side-channel attacks, they expose why trusting these devices with valuables or sensitive data invites peril.
Dennis, focused on embedded systems and IoT like vacuum robots, and Braelynn, specializing in application security with ventures into hardware, collaborate to dissect these “keyless” solutions. Marketed as leaders in physical security, these vendors’ products falter under scrutiny, succumbing to firmware extractions and key emulations.
Lockers, equipped with PIN pads and RFID readers, store laptops, phones, and documents. Users input codes or tap cards, assuming protection. Yet, attackers extract master keys from one unit, compromising entire installations. Side-channel methods, like power analysis, recover PINs without traces.
Firmware Extraction and Key Cloning
Dennis and Braelynn detail extracting firmware via JTAG or UART, bypassing protections on microcontrollers like AVR or STM32. Tools like Flipper Zero emulate RFID, cloning credentials cheaply. SAG’s locks yield to voltage glitching, dumping EEPROM contents including master codes.
Digilock’s vulnerabilities allow manager key retrieval, granting universal access. They highlight reusing PINs across devices—phones, cards, lockers—as a critical error, enabling cross-compromise.
Comparisons with competitors like Ojmar reveal similar issues: unencrypted storage, weak obfuscation. Attacks require basic tools, underscoring development oversights.
Side-Channel and Physical Attacks
Beyond digital, physical vectors prevail. Power consumption during PIN entry leaks digits via oscilloscopes, recovering codes swiftly. RFID sniffing captures credentials mid-use.
They address a cease-and-desist from Digilock, withdrawn post-legal aid from EFF, emphasizing disclosure challenges. Despite claims of security, these locks lack military-grade assurances, sold as standard solutions.
Mitigations include enabling code protection, though impractical for legacy units. Firmware updates are rare, leaving replacement or ignorance as options.
Lessons for Enhanced Security
Dennis and Braelynn advocate security-by-design: encrypt secrets, anticipate attacks. Users should treat locker PINs uniquely, avoid loaning keys, and recognize limitations.
Their findings illuminate cyber-physical risks, urging vigilance around everyday systems. Big firms err too; development trumps breaking in complexity.
Encouraging ethical exploration, they remind that “unhacked” claims invite scrutiny.
Links:
[DefCon32] OH MY DC: Abusing OIDC All the Way to Your Cloud
As organizations migrate from static credentials to dynamic authentication protocols, overlooked intricacies in implementations create fertile ground for exploitation. Aviad Hahami, a security researcher at Palo Alto Networks, demystifies OpenID Connect (OIDC) in the context of continuous integration and deployment (CI/CD) workflows. His examination reveals vulnerabilities stemming from under-configurations and misconfigurations, enabling unauthorized access to cloud environments. By alternating perspectives among users, identity providers, and CI vendors, Aviad illustrates attack vectors that compromise sensitive resources.
Aviad begins with foundational concepts, clarifying OIDC’s role in secure, short-lived token exchanges. In CI/CD scenarios, tools like GitHub Actions request tokens from identity providers (IdPs) such as GitHub’s OIDC provider. These tokens, containing claims like repository names and commit SHAs, are validated by workload identity federations (WIFs) in clouds like AWS or Azure. Proper configuration ensures tokens originate from trusted sources, but lapses invite abuse.
Common pitfalls include wildcard allowances in policies, permitting access from unintended repositories. Aviad demonstrates how fork pull requests (PRs) exploit these, granting cloud roles without maintainer approval. Such “no configs” scenarios, where minimal effort yields high rewards, underscore the need for precise claim validations.
Advanced Configurations and Misconfigurations
Delving deeper, Aviad explores “advanced configs” that inadvertently become misconfigurations. Features like GitHub’s ID token requests for forks introduce risks if not explicitly enabled. He recounts discovering a vulnerability in CircleCI, where reusable configurations allowed token issuance to forks, bypassing protections.
Shifting to the IdP viewpoint, Aviad discloses a real-world flaw in a popular CI vendor, permitting token claims from any repository within an organization. This enabled cross-project escalations, compromising clouds via simple PRs. Reported responsibly, the issue prompted fixes, emphasizing the cascading effects of IdP errors.
He references Tinder’s research on similar WIF misconfigurations, reinforcing that even sophisticated setups falter without rigorous claim scrutiny.
Exploitation Through CI Vendors
Aviad pivots to CI vendor responsibilities, highlighting how their token issuance logic influences downstream security. In CircleCI’s case, a bug allowed organization-wide token claims, exposing multiple projects. By requesting tokens in fork contexts, attackers could satisfy broad WIF conditions, accessing clouds undetected.
Remediation involved opt-in mechanisms for fork tokens, mirroring GitHub’s approach. Aviad stresses learning claim origins per IdP, avoiding wildcards, and hardening pipelines to prevent trivial breaches.
His tool for auditing Azure CLI configurations exemplifies proactive defense, aiding in identifying exposed resources.
Broader Implications for Secure Authentication
Aviad’s insights extend beyond CI/CD, advocating holistic OIDC understanding to thwart supply chain attacks. By dissecting entity interactions—users, IdPs, and clouds—he equips practitioners to craft resilient policies.
Encouraging bounty hunters to probe these vectors, he underscores OIDC’s maturity yet persistent gaps. Ultimately, robust configurations transform OIDC from vulnerability to asset, safeguarding digital infrastructures.