Seclog - #185

In this week's Seclog, the dominant story is the collision of AI and offensive security with the classic web-vulnerability grind. On the AI front, autonomous tooling matured sharply: an LLM-driven hackbot logged 126 findings in five months, Claude Opus was walked through a full V8 Chrome exploit chain, and a TOCTOU race showed that computer-use agents can be tricked into clicking something other than what they "see." The rapidly expanding MCP ecosystem emerged as a first-class attack surface, with open Dynamic Client Registration abuse and a Google-assigned CVE (CVE-2026-11719) bypassing scope enforcement via protocol-version selection. Meanwhile, tried-and-true bugs dominated real-world impact โ€” three SQL injections (Control Web Panel, Front Gate Tickets, and a PostgreSQL dollar-quote bypass), stored XSS through storage content-type override, a zero-click CSS oracle exfiltrating Slack DMs, and origin-validation bypasses via IP normalization. Cloud and supply-chain infrastructure took hits too, including unauthenticated RCE in Argo CD (found with CodeQL) and OS command injection in aws-cdk-lib. The throughline: AI is compressing both exploit development and mass discovery, even as fundamental input-validation and access-control flaws remain the bugs that actually get owned.

๐Ÿ“š SecMisc #

Portable Cloud Malware Analysis Lab on AWS - viuleeenz.github.io

Moves a malware analysis environment off fragile local VMs and into AWS to solve snapshot staleness, host slowdown, and "is this box still clean?" uncertainty โ€” a pain point amplified on Apple Silicon where emulation makes local detonation heavy. The rapid-deploy, disposable model gives analysts a known-clean, reproducible environment on demand and scales beyond a single laptop. Practical blueprint for anyone standing up repeatable detonation/sandbox infra in the cloud.

Control Web Panel userRes SQL Injection - karmainsecurity.com

Egidio Romano (EgiX) discloses a SQL injection in Control Web Panel (CWP) โ‰ค 0.9.8.1224 via the userRes parameter. CWP is a widely deployed hosting/server control panel, so DB compromise here is high-value and often a stepping stone toward fuller server takeover. Operators should patch/upgrade CWP instances immediately and restrict panel exposure.

Google Messages Leaks Contact Photos Without Permission - blog.devploit.dev

A confused-deputy bug: an app holding no READ_CONTACTS permission coerces the privileged Google Messages app into loading contact photos on its behalf via AvatarContentProvider. This bypasses Android's permission model to exfiltrate contact avatar data through a pre-installed, over-trusted ContentProvider. A reminder to audit exported/privileged ContentProviders for caller-permission enforcement.

TOCTOU Race Tricks Computer-Use Agents - embracethered.com

Reproduces a time-of-check/time-of-use race against computer-use AI agents (in the spirit of the ChatGPT Operator bug) where the UI state the agent evaluates differs from the state at click time. Enables silent redirection/deception of autonomous agents into unintended actions. Argues agentic browsing needs atomic verify-then-act and human confirmation on sensitive operations.

Autonomous Hackbot Finds 126 Vulnerabilities - josephthacker.com

rez0 and xssdoctor detail an autonomous hackbot that surfaced 126 vulnerabilities across five months, evidencing that AI-driven bug discovery now scales meaningfully. The takeaway for defenders: expect higher-volume, automated testing against your assets and treat bounty programs as increasingly essential intake. For hunters, it signals a shift toward orchestrating agents rather than manual-only recon.

MCP Dynamic Client Registration Is a New Attack Surface - blog.voorivex.team

Open Dynamic Client Registration (DCR) on MCP servers exposes a fresh, under-scrutinized surface enabling XSS, OAuth token theft, SSRF, and direct access to "AI-only" tools. As MCP adoption accelerates, loosely-scoped or unauthenticated registration endpoints hand attackers a foothold into LLM tool infrastructure. Lock down DCR, validate redirect URIs, and tightly scope issued tokens.

response-content-type Turns Public Objects Into Stored XSS - blog.voorivex.team

A single response-content-type query parameter on public bucket objects flips a forced image/png into text/html, yielding stored XSS on the target's own origin. MinIO grants it directly; S3 needs one extra step. Any app serving user-controlled bucket content from its own origin is an XSS sink โ€” serve untrusted files from an isolated, sandboxed domain.

Unauthenticated SQL Injection in Front Gate Tickets - ian.sh

Sam Curry finds unauthenticated SQLi in Front Gate Tickets, the Live Nation/Ticketmaster subsidiary handling ticketing/payments for EDC, Bonnaroo, Outside Lands and more. Because many festivals funnel back to the same aging FGT domains, one legacy backend becomes a single point of mass PII/payment exposure. Textbook consolidated-legacy-infrastructure risk in the events industry.

Unauthenticated RCE in Argo CD Found via CodeQL - synacktiv.com

Synacktiv chains an unauthenticated remote code execution in Argo CD, surfaced using CodeQL static analysis. As core GitOps CD infrastructure with cluster-level privileges, a pre-auth RCE here equals full Kubernetes cluster compromise. Doubles as a demonstration of CodeQL's value for deep Go-codebase auditing โ€” patch Argo CD and restrict its network exposure.

Zero-Click CSS Oracle Exfiltrates Slack DMs - iglu.blog

A Slack Block Kit validation bypass via salesforce_record reaches unsanitized client-side sinks, enabling a blind CSS oracle that leaks private DM attributes with zero user interaction. Shows that CSS injection remains a potent exfiltration primitive even in hardened, mature chat platforms. Validation bypass plus a client sink is enough for silent data theft โ€” sanitize rendered attributes and constrain Block Kit inputs.

Dollar-Quote Bypass for Blind PostgreSQL Injection - jrbusiness.github.io

Combines PostgreSQL dollar-quoting to evade quote-based filters, scalar subquery injection, and zero-knowledge blind extraction against PL/pgSQL. Adds a concrete WAF/sanitizer-evasion technique tailored to Postgres backends. Valuable for testers facing quote-focused input filtering, and a reminder that parameterization โ€” not quote escaping โ€” is the real fix.

LLM Writes a Full V8 Chrome Exploit Chain - hacktron.ai

The author drove Claude Opus to build a full V8 exploit chain against Discord's bundled Chrome (v138, nine versions behind) using a Chrome 146 V8 OOB, ultimately popping calc. Cost: ~2.3B tokens, ~$2,283, and ~20 hours of human unsticking โ€” heavy but declining guidance. Two lessons: LLMs are nearing practical browser-exploit development, and outdated bundled Chromium in Electron apps stays dangerously exploitable.

Google MCP Toolbox scopesRequired Authorization Bypass - skypoc.wordpress.com

CVE-2026-11719 (CWE-862) is an authenticated authorization bypass / vertical privilege escalation in Google's MCP Toolbox for Databases, where selecting an older protocol version sidesteps scopesRequired enforcement. Another concrete example of MCP access-control gaps emerging as the ecosystem grows. Update mcp-toolbox and ensure scope checks are enforced uniformly across every supported protocol version.

IP Normalization Bypasses postMessage targetOrigin - lab.ctbb.show

An integer/decimal-encoded IP host slips past a subdomain-matching regex, redirecting postMessage data to an attacker-controlled origin. Demonstrates that regex-based origin validation is bypassable through alternate IP representations. Validate targetOrigin against an exact allowlist of canonical origins rather than pattern matching.

OS Command Injection in aws-cdk-lib - hackerone.com

An AWS VDP report discloses a High-severity OS command injection (CWE-78) in the aws-cdk-lib npm package. Injection in such widely-used Infrastructure-as-Code tooling can execute commands in developer workstation and CI/CD contexts, making it a supply-chain-adjacent risk. Update aws-cdk-lib and audit CDK usage in build pipelines for untrusted input reaching command execution.

← All Seclogs

Press / to search, Esc to close