Kevin Beaumont

I think as usual with Chrome stuff, as no code is disclosed nobody will know the deets.

Cheers. It looks like you need to have a pretty specific config to end up vulnerable to this.

Moving this topic public as the issue has made the media: https://news.sky.com/story/job-applicants-worried-as-hundreds-of-thousands-of-cvs-exposed-online-11836935

For a home Mac I wouldn’t bother.

That probably isn’t the use cases for HIBP, eg they don’t provide passwords.

Why do you think that?

I did a PoC with it at Crabbers back in 2016, but didn't reach the pentesting phase I'm afraid. I aborted out of it for cost reasons more than anything, and at the time the product functionality wasn't very broad (I bet it has improved a lot since). With Windows 10 nowadays it has lots of exploit protection built in, e.g. at current jobbing we have all the different exploit prevention technology turned on with Group Policy in Windows 10 pilot:

I haven't seen anything in my honeypots, just the usual RDP bruteforce stuff.

There's some more background on how a group used this used to hack Twitter and claim bug bounty: https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html

For some reason the vendor is lying press about the scale of the issue, saying a majority of customers have patched. Interesting response plan.

Some logs you can retrieve with this remotely: https://host/dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/logs/log.admin.vc0?/dana/html5acc/guacamole/ https://host/dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/logs/log.access.vc0?/dana/html5acc/guacamole/ As an attacker you can use these to figure out to some degree if the box has been tampered with already. Note that to have a hope of figuring out exactly what attackers tampered with, you need to manually (it is disabled by default) enable "Unauthenticated Web Requests" logging under System -> Logs/Monitoring in the Pulse Secure admin centre. As a result of this many orgs compromised before they installed the patch will not realise if attackers have created backdoors, and they may still be compromised. I recommend turning on logging, and looking at the admin logs - it won't catch everything (because HTTP requests aren't logged) but you might find other signs of tampering. Shoutout to Alyssa Herrera who continues to figure out this vulnerability.

For info - seen no scanning for this in the wild.

An anonymous researcher has pointed out you can remotely retrieve Active Directory usernames and passwords with this vulnerability - the passwords are encrypted, but always with the same passphrase ("NEOTERIS-FORM-CONFIRMATION"). So, essentially, not encrypted. Other hardcoded encryption keys are PSECURE-ADMINPWD-KEY, JUNIPER-ADMINPWD-KEY and others.