Hello, welcome to the Thursday, August 9th, 2018 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from San Antonio, Texas.

The HomeProject, which is a very popular project that allows users of OS10 and Mac OS to install various open source packages on their Mac,

has had a security incident that allowed a researcher to essentially push arbitrary code to the repository,

which would then have been made live by users as they updated their install of

home proof. The root cause here was a GitHub token that was left exposed as part of

a publicly accessible Jenkins install. Now the HomePro project has reacted to the report of this researcher and has further

enhanced their own security precautions. Probably the most meaningful change that HomePro

made was to enable branch protection. What this does is that it no longer allows developers

to automatically merge code. Instead, all changes have to be approved first

and Checkpoint took a closer look at WhatsApp and how it actually works under the hood and came up with three different quite interesting

vulnerabilities in the application.

Now, one special feature of WhatsApp is end-to-end encryption, not even WhatsApp itself.

The company is able to access any messages sent via its platform.

So in order to inspect these messages, Checkpoint actually first had to get past the encryption.

Now, this is of course not impossible if you are the endpoint,

and that's exactly sort of what Checkpoint did here.

They observed the initial key exchange,

which involves scanning a QR code from the WhatsApp website,

and by doing so, they were able to obtain the encryption keys for their account. So nothing really

broken at this point. They were now just able to inspect their own messages and actually see how WhatsApp works.

WhatsApp uses protocol buffers for serialization.

...