Hello, welcome to the Monday, October 15th, 2018 edition of the Sandtonet Storm Center's Stormcast. My name is Johannes Ulrich, and I'm recording from McLean, Virginia.

I have mentioned several times in this podcast how important it is to track dependencies in your applications, particular third-party libraries that

you are including in your code. Now often the focus here is open source libraries, but it

affects commercial libraries just as well. One reason example is branch.io.

Branch.io allows mobile applications to track users and essentially get things like

refer statistics and the like, and apparently their library suffered from a cross-site

scripting vulnerability.

This issue was first discovered at the dating site Tinder, but then as it became known that branch.io's code was actually the vulnerable code.

It turned out that many, many other sites are affected by the same vulnerability, potentially affecting hundreds

of millions of users.

Now, you may say, hey, it's just a cross-site scripting vulnerability, but don't underestimate

cross-site scripting vulnerabilities.

This particular vulnerability was exploitable on personal profile pages, so this could certainly be used

to either leak personal information or to even take over accounts. And pacemaker manufacturer

metronic is in the news again regarding the programmers for their pacemakers. This is actually an older vulnerability.

I believe it was discovered back in February and it affects these programmers. So it doesn't

affect the pacemaker itself, but these programmers are used to configure pacemakers.

And up to now, it was possible to remotely update these programmers.

But apparently this update process wasn't secure.

Now, the original fix was to just use a VPN for the update.

And the way this apparently worked was that the programmer did establish a VPN

connection to Metronics Software Delivery Network and then the update happened. The problem was

...