High-severity vulnerability found in SecureDrop system
https://www.cyberscoop.com/securedrop-vulnerability-found-fixed/
A high severity vulnerability found in SecureDrop, a whistleblower submission system used by newsrooms and advocacy groups, prompted a patch from developers and coordination with dozens of prominent news organizations that use the software to communicate with sensitive sources.
The bug, blamed on developer error, leaves the system unable to verify key packages and can grant remote code execution against targets.
Who uses SecureDrop? https://securedrop.org/directory/
“The bug, blamed on developer error, leaves the system unable to verify key packages and can grant remote code execution against targets.”
“Some SecureDrop users, including the New York Times, are reinstalling the software as part of a general update.
Other organizations decided that the chance of an attack was so remote that they do not believe a reinstall is necessary, SecureDrop developers explained.”
How hard is a reinstallation of updated software?
One more reason never to trust a News organization!
Wasn’t there something backthread discussing BlackHats being able to snag information and forward to a remote location?
Well. Time for bed!