GitLab – a web-based repository manager – has recently patched a critical flaw in its API that posed a security threat to its services. As disclosed, a GitLab API vulnerability allegedly exposed confidential information on public projects. The glitch appeared in the events API that was leaking data for about a year.
A HackerOne researcher with the alias ngalog discovered the flaw last month. Later, he reported the matter to GitLab. He discovered a bug in the code of the GitLab Event API. (According to GitLab, they have a “track record of great engagements” with this hacker.)
After receiving the alert, GitLab began investigating the matter only to confirm the glitch. The bug reportedly appeared in June 2017, at the time of the release of GitLab 9.3. Further, explaining the impact of this vulnerability, GitLab stated in their disclosure.
“The Events API was introduced with the release of GitLab 9.3, and it enabled users to programmatically access the activity log of projects and users… Unfortunately, a bug was introduced at release time and the API would not honour the private flag of events related to numerous target types that belonged to public projects. As a result, events for said target types were exposed to potentially unauthenticated and unauthorized parties.”
As reported, the bug resulted in the exposure of private information related to projects. This includes private milestones, private merge requests, private snippets, private notes, and confidential issues. The GitLab API vulnerability affected all GitLab versions between 9.3 and 11.3, where the exposure of information happened “only through the API”. After the investigations, GitLab patched the flaw and deployed the hotfix across the GitLab infrastructure by September 24, 2018. Although GitLab did not state the exact impact of this vulnerability, they did confirm that the bug remained unexploited. “Given the wide time window during which the issue was present (more than a year), we are unable to determine with accuracy the extent of the impact… We investigated four months of retained GitLab.com logs, and found no evidence that unauthorized parties accessed any of your private events.”
Another of the world’s largest investment banks is quietly building a product that will allow its clients to trade bitcoin, at least indirectly.
Morgan Stanley, the sixth-largest bank in the U.S. by assets, is joining Wall Street’s race toward an institutional-friendly bitcoin derivative, Bloomberg reported on Thursday, citing a person familiar with the matter. The financial institution is creating a proprietary derivatives product that will give traders “synthetic exposure” to the price of bitcoin. These derivatives would allow investors to indirectly invest in the market’s flagship currency, allotting them the option to buy into long or short positions through the contracts.
From the report:
“The U.S. bank will deal in contracts that give investors synthetic exposure to the performance of Bitcoin, said the person, who asked not to be identified because the information is private. Investors will be able to go long or short using the so-called price return swaps, and Morgan Stanley will charge a spread for each transaction, the person said.”
The report further indicated that Morgan Stanley, whose CEO — James Gorman — said earlier this year taking their prices from bitcoin futures, the swaps will not handle bitcoin directly through the bank. Seeing as Morgan Stanley is a regulated and established financial institution, tying the product to futures contracts is a safer bet than basing them on bitcoin’s spot price, as the Chicago Mercantile Exchange and Chicago Board of Exchange offer fully-regulated bitcoin futures from which Morgan Stanley can pool pricing data.
Bloomberg’s source claimed that the derivatives are ready for launch, but it’s waiting on an in-house approval process and sufficient investor demand before taking them to market.
However, Morgan Stanley’s spokesperson has declined to comment on the developments.
Last week, Business Insider reported that rival Goldman Sachs Group Inc was ditching plans to open a desk for trading cryptocurrencies, as the regulatory framework for crypto remains unclear.
Check Point’s latest Global Threat Index reveals an increase in banking trojan attacks in August as organisations feel the impact of large scale Ramnit campaign, that has been converting victim’s machines into malicious proxy servers.
Ramnit's fundamental makeup positions it in the fore of malware trends, despite being based on old source code that’s been knocking around for years.
After staying dormant for few years, the Ramnit banking trojan resurfaced in July and jumped to sixth place. A wider analysis of how the banking trojan is evolving shows innovative development on the part of its authors, with an eye to broader malware trends.
“This is the second summer running where we have seen criminals increasingly using banking trojans to target victims and make a quick profit,” Maya Horowitz, Threat Intelligence Group Manager at Check Point commented. “Trends like this should not be ignored as hackers are acutely aware of which attack vectors are most likely to be successful at any given time, suggesting internet users’ browsing habits during the summer months make them more susceptible to banking trojans. This underlines that malicious hackers are tenacious and sophisticated in their attempts to extort money.”
Horowitz added: “In order to prevent exploitation by banking trojans – and other types of attacks – it is critical that enterprises employ a multi-layered cybersecurity strategy that protects against both established malware families cyber-attacks and brand new threats.”
During the period Coinhive remained the most prevalent malware, with impact on 17% of organization worldwide. Dorkbot and Andromeda were ranked in second and third place respectively, each with a global impact of 6%.