Thank you. Hello, welcome to the Friday, June 23, 2017 edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Minneapolis, Minnesota. At the internet storm center today we got an interesting diary by Xavier about a

recent file that he came across that used a little bit of different obfuscation technique

in order to bypass signature based detection.

Often you do find simple XOR techniques being used in order to obfuscate binaries,

but anti-Malver has become reasonably good in picking up some of these X-Ore obfuscation techniques.

And I believe Xavier already wrote about that and how to automatically, for example,

find the keys being used for exoring binaries. Now this JavaScript that Xavier came across

actually used a somewhat different technique, sort of custom obfuscation function and he presents how to decode it and how he

wrote for this particular case decoder for the obfuscation. Of course, as he points out,

there's an unlimited number of possible obfuscation techniques. This is really just yet another

one,

and hopefully it'll help you recognize the next new one that hits your network.

And Oath continues to be a difficult and tricky protocol to implement the latest victim here, Airbnb.

As part of Airbnb's Bug Bounty, Arna Svinen, a pentester from Belgium, found an interesting

vulnerability that allows you to steal the OAuth tokens from Airbnb.

Now the way this works is that it will give an attacker access to Airbnb by essentially

tricking the user into authenticating via any number of Oath cable sites, like, for example,

Facebook is listed here, and then stealing the Outh token provided by this particular service.

The issue here is first of all cross-site request forging that can be used to force the user

to log in to Airbnb and then an open redirect.

It's not really quite an open redirect. What's happening

...