During 2021 I had access to a facility equipped with an alarm system from Securitas Direct. I had access as a regular user to Securitas Direct’s My Pages at mypages-pro.securitas-direct.com, which is used to administer some aspects of one’s security alarm installation. That web application suffered a CWE-384 Session Fixation vulnerability which can be used by an attacker in a so-called Man-In-The-Middle (MiTM) position. Home page of Securitas Direct My Pages In summary, if an attacker is on the same network as the victim or somewhere else between the victim and Securitas Direct’s server, and if the attacker can make the victim’s browser make an unencrypted HTTP request to a subdomain of securitas-direct.

I work for the security consultant company Defensify where I conduct security assessments of applications and networks. In December 2020 I made a review of a web application written in Ruby on Rails. I will not disclose the name of the client or any other vulnerabilities found in the client’s application, but this blog post tells the story of how I found a security vulnerability in one of the third-party dependencies they use, which is open source, and got my first ever CVE assigned. \o/

This is a follow-up on the previous post Brute-Forcing Borrowers’ PINs at the Swedish Board of Student Finance (CSN) where I describe some vulnerabilities discovered in August 2020 and the response from CSN. It seems I missed another problem with the CAPTCHA though. And it was right in front of my eyes…

The Swedish Board of Student Finance CSN is the government agency that manages Swedish student finance, i.e. grants and loans for studies. They also manage driving licence loans and home equipment loans. (Source)

This is the story of when I found two security vulnerabilities in their login functionality and reported it to them.