Hello, welcome to the Tuesday, October 8, 2019 edition of the Sansonet Stormsendors Stormcast. My name is Johannes Ulrich,

and I'm recording from Chicago, Illinois. First, we have an observation by a reader of the Register,

who apparently was running two VPNs at the same time.

First of all, they were running the iOS Warp application that Cloudflare came up with

in order to use its 1-1-1-1-DNS over-HdPS service.

Now, secondly, he was also using NordVPN as an IPSEC VPN provider using

Ike. The problem here, at least my opinion, is that Cloudflare implemented their solution

as a VPN. Now he disabled the actual warp application,

but left that VPN established. Now, when he then also enabled the NordVPN, VPN, well,

in essence, nothing was encrypted at all.

Now, a register is putting it somewhat here on NordVPN to actually come out with a patch

for it.

Possible that this is a solution, but in the end, you always have to be careful if you're

running two VPN solutions at the same time because you can end up with some odd routing situations

where like in this case your traffic is not actually going to get encrypted.

And Singapore security researcher by the handle of vacant found interesting vulnerability in WhatsApp that Facebook patched last week.

This vulnerability can be triggered with a simple gif image that has been manipulated to trigger

a double free vulnerability. Awakened has published a pretty detailed blog with sample code and proof of concept,

walking you through the exploitation year, given that we hear so much about these double-free

vulnerabilities. Well, it's certainly a good idea to take a look at this blog post to better

understand what these vulnerabilities are and how they are exploited.

Probably the most straightforward way to exploit this vulnerability is for an attacker to send an image that has been crafted to exploit this vulnerability to the victim.

...