SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Friday, March 6th, 2026: Targeted or Not? pac4j-jwt auth bypass; freescout dangerous uploads; MSFT Authenticator vs Graphene OS
9 snips
Mar 6, 2026 A dive into distinguishing targeted intrusions from noisy internet scanners. A critical pac4j-jwt authentication bypass that accepts only a public key. Dangerous file-upload flaws in FreeScout that can lead to remote code execution. Compatibility problems between Microsoft Authenticator and Graphene OS on secure Android builds.
AI Snips
Chapters
Transcript
Episode notes
Honeypot Intern Shows Background Internet Noise
- Johannes Ulrich described an undergraduate intern, Joseph Grun, analyzing honeypot traffic to show common internet background noise.
- The honeypot revealed scanners zooming in on specific artifacts, helping distinguish targeted intrusions from opportunistic scans.
JWT Algorithm Confusion Lets Public Key Bypass Auth
- Johannes Ulrich explained a pac4j-jwt algorithm confusion where a public key can be misused to create a valid signature, bypassing authentication.
- The flaw lets an attacker wrap an unsigned JWT with a signature made using the public key, and code then accepts the token as valid.
FreeScout Upload Filters Bypassed By Whitespace
- FreeScout allowed file uploads filtered by extension and htaccess checks that were bypassed via whitespace tricks, leading to remote code execution.
- The vuln exploited filename whitespace to evade extension filters and cause execution inside document root.