• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • December 15th, 2019
  • Home
  • About Us
  • Team
  • Advertise
  • Submit News
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Google+
    • Linkedin
    • Youtube
Home » Security » IBM fixes flaw that let hackers replace its serverless code with their own

IBM fixes flaw that let hackers replace its serverless code with their own

July 24th, 2018 Waqas Security 0 comments
IBM fixes flaw that let hackers replace its serverless code with their own
Share on FacebookShare on Twitter

This is the first publicly-disclosed vulnerability in a serverless platform.

Experts at IBM (The International Business Machines Corporation) have patched a critical vulnerability in its Cloud Functions which if exploited could allow remote malicious hackers to replace company’s serverless code with their own.

Once the changes took effect, hackers could have extracted sensitive customer data including login credentials, credit card numbers, delete or modify data, conducting distributed denial-of-service (DDoS) attacks, and even use the server to mine cryptocurrencies.

The vulnerability was identified [PDF] and reported by IT security researchers at an Israeli serverless security provider PureSec. The vulnerability existed in Apache OpenWhisk, a serverless, open source cloud platform used by thousands of renowned companies around the globe including IBM.

“An attacker that manages to overwrite or modify the code of the serverless function can then perform further actions such as leaking sensitive data during subsequent executions, which may belong to other end-users,” said PureSec’s CTO Ory Segal.

Tracked as CVE-2018-11756 and CVE-2018-11757, the vulnerability is the first publicly-disclosed one in a serverless platform. The good news, however, is that not only IBM has patched the vulnerability before it could be exploited, PureSec researchers also informed OpenWhisk team with a suggested fix, which mitigates the risk. As a result, Apache has also released a patch while researchers suggest that Apache Openwhisk users should update to the latest version immediately.

“Upon receiving and validating the details on this weakness from PureSec, the Apache OpenWhisk team reviewed and pushed a fix which mitigates the risk for OpenWhisk users,” said RODRIC RABBAH, creator of Apache OpenWhisk project. “We would like to thank PureSec, their contribution to serverless security has helped to make the OpenWhisk platform more secure.”

“The security of functions is an important tenet of serverless computing. The Apache OpenWhisk community thanks PureSec and its research team for improving the OpenWhisk platform and making it more secure,” added Rabbah.

PureSec has also made a video showing the vulnerability in action:

More: IBM Sent Off USB Sticks Infected with Malware

Image credit: Depositphotos

  • Tags
  • Apache
  • Cryptocurrency
  • Cyber Attack
  • DDOS
  • hacking
  • IBM
  • security
  • Vulnerability
Facebook Twitter Google+ LinkedIn Pinterest
Previous article Exposed: 157 GB of sensitive data from Tesla, GM, Toyota & others
Next article Update your devices: New Bluetooth flaw lets attackers monitor traffic
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism.

Related Posts
"The Smartest Lock Ever” KeyWe is Vulnerable to Hacking

"The Smartest Lock Ever” KeyWe is Vulnerable to Hacking

Plundervolt: A new attack on Intel processors threatening SGX data

Plundervolt: A new attack on Intel processors threatening SGX data

2.7 billion email addresses & plain-text passwords exposed online

2.7 billion email addresses & plain-text passwords exposed online

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

LATEST POSTS
Popular forms of cybercrime you should be aware of
Cyber Crime

Popular forms of cybercrime you should be aware of

354
70% of the entire US population is now on Facebook
Technology News

70% of the entire US population is now on Facebook

313
Hundreds of counterfeit branded shoe stores hacked with web skimmer
Cyber Crime

Hundreds of counterfeit branded shoe stores hacked with web skimmer

299
NGINX office in Moscow raided by police
Cyber Events

NGINX office in Moscow raided by police

1353

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us