Several lockscreen-related vulnerabilities this week, a cross-site leak, and the hijacking of all .cd domains.
One important thing to mention about this weeks episode that was neglected during the discussion is that the BitLocker Lockscreen Bypass is a lockscreen bypass. It does not necessarily provide access to data Bitlocker protects. If Bitlocker is being run in "transparent operation mode" where the ability to login is all that is necessary to decrypt data, then this vulnerability can grant access to encrypted data.
[00:00:00] Introduction
https://dayzerosec.com/
[00:00:59] Slayer Labs
https://slayerlabs.com/
[00:12:03] BugTraq Shutdown
https://seclists.org/bugtraq/2021/Jan/0
[00:17:22] Data Security on Mobile Devices
https://securephones.io/
[00:27:08] Running a fake power plant on the internet for a month
https://grimminck.medium.com/running-a-fake-power-plant-on-the-internet-for-a-month-4a624f685aaa
[00:33:43] BitLocker Lockscreen bypass
https://secret.club/2021/01/15/bitlocker-bypass.html
[00:39:30] [Linux Mint] Screensaver lock by-pass via the virtual keyboard
https://github.com/linuxmint/cinnamon-screensaver/issues/354
[00:43:02] [NextCloud] Bypassing Passcode/Device credentials
https://hackerone.com/reports/747726
[00:51:02] How I hijacked the top-level domain of a sovereign state
https://labs.detectify.com/2021/01/15/how-i-hijacked-the-top-level-domain-of-a-sovereign-state/
[01:00:28] Laravel <= v8.4.2 debug mode: Remote code execution
https://www.ambionics.io/blog/laravel-debug-rce
[01:05:47] Leaking silhouettes of cross-origin images
https://blog.mozilla.org/attack-and-defense/2021/01/11/leaking-silhouettes-of-cross-origin-images/
[01:10:36] Escaping VirtualBox 6.1: Part 1
https://secret.club/2021/01/14/vbox-escape.html
[01:17:15] Hunting for Bugs in Windows Mini-Filter Drivers
https://googleprojectzero.blogspot.com/2021/01/hunting-for-bugs-in-windows-mini-filter.html
[01:18:33] Project Zero: Introducing the In-the-Wild Series
https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html
Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST)
Or the video archive on Youtube (@dayzerosec)