A high severity vulnerability found in SecureDrop, a whistleblower submission system used by newsrooms and advocacy groups, prompted a patch from developers and coordination with dozens of prominent news organizations that use the software to communicate with sensitive sources. The bug, blamed on developer error, leaves the system unable to verify key packages and can grant remote code execution against targets. Some SecureDrop users, including the New York Times, are reinstalling the software as part of a general update. Other organizations “decided that the chance of an attack was so remote that they do not believe a reinstall is necessary,” SecureDrop developers explained. The vulnerability has not been spotted in the wild and “would be incredibly difficult to pull off,” according to a bulletin posted on Tuesday afternoon. While stressing the difficulty of exploitation, SecureDrop developers said it’s “likely that only a nation-state actor with network-level access would have the ability to conduct […]
The post High-severity vulnerability found in SecureDrop system appeared first on Cyberscoop.
Continue reading High-severity vulnerability found in SecureDrop system→