Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Matt Johansen Profile picture
@mattjay
Sep 3 11 tweets 3 min read Read on X
This is an absolutely wild one by @iangcarroll and @samwcyo

The most basic SQL injection ever in the Known Crewmember (KCM) and Cockpit Access Security System (CASS) used by airlines and TSA.

Literally ' OR 1=1 got them admin access. Here's what we know:
@iangcarroll @samwcyo The vulnerability was found in FlyCASS, a web-based interface used by smaller airlines to manage KCM and CASS.

A simple SQL injection in the login page allowed unauthorized access to the admin panel for Air Transport International. Image
@iangcarroll @samwcyo Once inside, the Ian and Sam discovered they could add or modify employee records without any additional authentication.

This meant they could potentially add anyone as an authorized to this system. Or swap exting pilot's photos. Image
@iangcarroll @samwcyo The researchers stated they believe an attacker could potentially bypass security screening and gain access to commercial airline cockpits by exploiting this vulnerability.
@iangcarroll @samwcyo The issue was responsibly disclosed to the Department of Homeland Security on April 23rd.

FlyCASS was subsequently disabled in KCM/CASS and later remediated the issues.
@iangcarroll @samwcyo However, the disclosure process wasn't smooth. DHS stopped responding to the researchers.

The TSA press office issued statements that contradicted the researchers' findings. - which they they retracted. Image
@iangcarroll @samwcyo The TSA claimed that a vetting process for new KCM members would prevent exploitation, but this doesn't account for manual employee ID entry at checkpoints or the ability to modify existing user records.

Web Archive: web.archive.org/web/2022081008…
Image
@iangcarroll @samwcyo Other potential attack vectors included changing photos and names of existing KCM members or enrolling unenrolled KCM barcodes to employee IDs through the KCM website. Image
@iangcarroll @samwcyo Web hackers - when was the last time you saw ' OR 1=1 work outside of purposefully vulnerable web apps? It's been a while for me.
@iangcarroll @samwcyo Wild one, thanks Ian and Sam - SOLID work, and glad you shared it publicly.

Read up - ian.sh/tsa
@iangcarroll @samwcyo I sent this out in my newsletter on Friday. Join 15k+ other folks who got it then if you're into that sort of thing (I really appreciate the support)

vulnu.com

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Matt Johansen

Matt Johansen Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mattjay

Matt Johansen Profile picture
Aug 30
⚠️ Breaking: North Korea just burned an 0-Day in Chromium.

They used it to install a Windows rootkit and the campaign targeted cryptocurrency platforms and users.

Here's what we know:
Microsoft reports that a North Korean hacking group, Citrine Sleet, exploited a previously unknown Chromium bug to target crypto organizations just a few days ago. Image
The zero-day was in a core engine within Chromium, affecting Chrome and other browsers like Edge.

Google patched the bug on August 21, two days after the initial exploitation. Image
Read 10 tweets
Matt Johansen Profile picture
Aug 29
Google uncovered evidence that Russian government hackers (APT29) are using exploits "identical or strikingly similar" to those developed by spyware companies Intellexa and NSO Group.

And we don't know how they got their hands on it...

Here's what we know: 🧵
APT29 should sound familiar. Re: Microsoft and Solarwinds hacks.

They're patient and persistent. Pair that with incredibly skilled and well funded and this is a deadly combo. Image
NSO Group is the maker of Pegasus spyware

Intellexa is behind Predator spyware.

Both are sanctioned by the US government Image
Read 10 tweets
Matt Johansen Profile picture
Aug 13
Whelp. Another North Korean laptop farm just got taken down in the US.

This time at a guy's house in Nashville. The NK team made over $250k for their remote work between 2022 and 2023.

Hey if someone shows up and asks you to host a pile of laptops at your house, just say no?
38 year old Matthew Isaac Knoot offered his address up to the NK teams.

He'd get laptops to his HOME for an employee named "Andrew M." who got remotely hired for a number of US jobs.

His house would act as the local IP and addy for these overseas spies to tunnel through. Image
This isn't even the first farm taken down. Arizona had a woman with the same thing going on out of her house a few months ago. Image
Read 7 tweets
Matt Johansen Profile picture
May 28
The DoJ just busted a massive scam involving North Korean IT workers infiltrating major US companies.

They had some help in the US and were posing as remote freelancers to siphon off money and sensitive info.

Holy crap, here's what we know:
How they operated:

North Korean operatives are stationed in countries like China, Russia, and parts of Eastern Europe and Southeast Asia.

They then use fake documents and buy accounts to get remote jobs in the States. Image
On May 16, the DOJ indicted five people connected to this scheme.

One is an Arizona woman who helped North Korean IT workers by validating stolen identities, making them look like US citizens. Image
Read 12 tweets
Matt Johansen Profile picture
May 16
Kevin Briggs, a senior advisor at CISA, has publicly revealed ongoing vulnerabilities in U.S. telecom networks.

TL;DR - He has evidence vulns in teleco's are being used to track and spy on U.S. citizens.

Buckle up, here's what we know:
Oversimplified: The attacks involve 2 teleco techs

SS7 - crucial for routing messages when roaming
Diameter - SS7's more efficient successor

They are both being exploited to track phones, intercept calls, and access texts. Image
Despite reassurances from major telecoms like AT&T, Verizon, and T-Mobile about enhanced security post-2018,

Briggs’ revelations suggest otherwise. He asserts that these “are just the tip of the iceberg” of vulnerabilities. Image
Read 8 tweets
Matt Johansen Profile picture
Apr 22
🚨 GitHub and GitLab comments are being abused to push malware via Microsoft repo URLs.

Let's dive in:
GitHub comments can host files uploaded during issue discussions or commit annotations.

Once uploaded, these files are accessible via GitHub's CDN, regardless of the comment's visibility or existence. Image
The crux of the exploit lies in the persistence of files on GitHub’s CDN.

Files remain accessible even after the associated comment is deleted, a perfect setup for distributing malicious content. Image
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(