Security Now 1039: The Sad Case of ScriptCase
TWiT.tv – August 20, 2025
Hosted by Steve Gibson & Leo Laporte
Overview:
This episode marks the 20th anniversary of Security Now, with Steve Gibson and Leo Laporte reflecting on two decades of cybersecurity insights and learning. The feature topic is “The Sad Case of ScriptCase”—a cautionary tale about a widely-used low-code website generator with a severe, lingering vulnerability that exemplifies systemic issues in software security and the risks of exposing non-public tools to the internet. The episode also covers data leaks (notably Allianz Life), Chrome’s new privacy/proxy features, NIST’s finalized lightweight cryptography for IoT, challenges around AI-driven search and web economics, and more.
Key Topics & Discussions
1. Celebrating 20 Years of Security Now
[00:30 - 11:40]
- Steve and Leo mark the show's 20th birthday, reflecting on its origins in August 2005.
- Quote, Steve Gibson [02:25]:
"Time accelerates as you age. I don't understand why. ... It's like you're circling the drain." - Rich feedback from listeners: many have launched careers, earned certifications, and deepened expertise thanks to the show’s thorough tutorials.
2. AI, Web Summaries & the Changing Internet Economy
[11:40 - 30:27]
- The Cloudflare vs. Perplexity AI case – current clash between content creators and rapidly advancing AI summary engines.
- Impact: AI-generated “zero click” results are eroding old ad-driven models, leading to traffic drops for even highly ranked sites.
- Quote, Steve Gibson [20:20]:
"Consumers simply want quick answers to their questions... Given that so much of the web has been financed by search engines driving traffic to websites ... large language model chatbots appear to be driving a generational change." - Marketers rethink digital strategies; paywalls strengthen; ad models struggle; creator funding is at risk.
- Consensus: The way users want information (quick, summarized, via AI) will dictate the future—regardless of long-term consequences for the ecosystem.
- Quote, Leo Laporte [27:02]:
"The ad model is not a good answer. That's why we have the club. ... If advertisers abandon podcasts, which they're kind of in the process of doing right now, then the club is the only sensible way."
3. Urgent Plex Media Server Vulnerability
[30:31 - 37:49]
- Plex alert: update immediately due to a critical security flaw, with historical ties to the infamous LastPass breach.
- Emphasis on patching quickly, as history (Plex in LastPass developer's home) has shown severe real-world impact for laggards.
4. Allianz Life Data Breach & Growing Social Engineering Threats
[37:49 - 46:31]
- Shiny Hunters and Scattered Spider merge tactics, exploiting Salesforce OAuth through social engineering to exfiltrate personal and business customer data (2.8 million records affected).
- Quote, Steve Gibson [39:48]:
"Every single person must never even once do the wrong thing since all that's needed is a single slip up... the bad guys only need to find or create a single mistake once." - Social engineering increasingly supersedes technical hacking as the main enterprise risk.
- Zero trust and the necessity of designing corporate networks to assume internal compromise.
5. Browser Privacy: Chrome 140, Fingerprinting & Local Network Protections
[55:02 - 75:31]
- Chrome 140 (Sept release):
- Adds incognito-only third-party script blocking for known fingerprinting domains.
- Routes sensitive third-party incognito requests through Google proxy to mask IP.
- Will require explicit user permission for public websites trying to access local network/LAN devices.
- New base64 and hex conversion APIs in JavaScript for developers; changes to localhost protections.
- Comparisons: Safari and Brave offer more robust, default anti-fingerprinting protections for all users.
6. Data Brokers Hide Opt-out Pages
[75:31 - 83:38]
- Investigative report: 499 California-registered data brokers; 35 hide their opt-out/data deletion pages from search engines using “noindex” code, making removals difficult.
- Companies feign ignorance or cite “anti-spam” advice when caught.
- Quote, Steve Gibson [76:55]:
"This sounds to me like a clever workaround to make it as hard as possible for consumers to find it." - Laws need clearer mandates—and penalties—requiring prominent access to opt-out/deletion features.
7. Russia's Moves Against Secure Messaging
[87:03 - 90:44]
- Russia (Roskomnadzor) clamps down on WhatsApp and Telegram voice/video calls, under fraud/terrorism pretense, but real driver: major telcos pushed for ban to recoup lost revenue and force users onto the forthcoming, state-controlled MAX messenger.
- Mandatory government migration to MAX signals inevitable surveillance motivations.
8. NIST Finalizes Lightweight Cryptography for IoT
[90:44 - 106:33]
- NIST releases ASCON family of cryptographic algorithms—secure, power-efficient, and suitable for small networked devices (IoT, RFID, medical implants, etc.).
- Offers right-sizing of security: adequate for short-lived, less sensitive use-cases that don’t need heavy 256-bit protections.
9. SyncThing 2.0 Arrives—With Cautions
[111:29 - 120:32]
- Major update: now uses SQLite backend, structured logs, and cleans up deleted-item retention logic. But users warned: “Keep a sense of adventure”—major updates may break older installations; some prebuilt binaries/platforms no longer supported.
- Steve and Leo recommending holding off immediate upgrades, especially on critical production environments or legacy systems.
10. Featured Topic: The Sad Case of ScriptCase
[128:43 - END]
The Vulnerability:
- ScriptCase, a low-code PHP web platform, contains a chain of two severe vulnerabilities:
- Pre-auth password reset bug: Any remote user can reset the admin console password after a trivial failed login, due to a logic error and lack of “old password” check.
- Authenticated command injection: Once admin, attackers can inject arbitrary commands via crafted inputs concatenated into SSH system calls.
The Aftermath:
- Despite full public disclosure, patches, and proof-of-concept code, over 2800 internet-exposed instances remain vulnerable a month later (more than half of known installations).
- Attacks are simple—just a couple of curl commands; gray-hat and black-hat scanning is rampant, verified via honeypots and threat intelligence sources.
- Synactive’s responsible disclosure timeline reveals months of vendor sluggishness/inaction; vulnerable systems linger long after news.
The Real Issue:
- This is not “just another bug”—it’s a reflection of a widespread, broken paradigm:
- Tools that are never meant to be public are put, out of convenience/ignorance, on the open internet, protected only by weak authentication that is inevitably subverted by mistakes.
- Vendors like ScriptCase have “update fatigue” with never-ending bugfixes, and end-users tire of constant patching, leading to stagnation and exposures.
Steve’s Core Takeaways
- Quote, Steve Gibson [159:36]:
"Bugs are never going away, ever. And neither are bad guys. So it should be obvious that the only possible solution is to make certain that the bad guys can never get their hands on those bugs." - Only software intended for public exposure (web, email, DNS) should be exposed. All private administration tools, internal dashboards, and non-public interfaces should be strictly firewalled, VPN’d, or air-gapped.
- Don’t depend on authentication alone for security—“authentication always fails in the end,” as virtually every breach (including this one) demonstrates.
- Blame is misplaced on hackers or buggy software—the culpability also squarely rests with those who expose non-public tools to the world.
Quote, Steve Gibson [163:25]:
"From now on I'm calling them morons because it is their fault that they got hacked... If it's crappy software, keep it inside, it cannot defend itself against the internet."
Notable Moments & Quotes
- On 20 years of the show:
"Just think of the wealth of learning you’ve got for free from this guy..." – Leo [08:27] - On AI's economic disruption:
"Consumers usually wind up dictating what wins and what loses." – Steve [24:30] - On scriptcase's broken update model:
"Every three or four days they do another release ... Talk about update fatigue." – Steve [151:20] - On repeated cycle of vulnerabilities:
"The actual mistake is ever attaching anything to the public internet that does not, by virtue of its purpose, need to be widely visible to everyone, everywhere." – Steve [159:03]
Episode Timeline
- 00:30 – Celebrating 20 years, show origins
- 11:40 – AI, zero-click web, and the shifting economy
- 30:31 – Plex urgent update
- 37:49 – Allianz Life breach; social engineering
- 55:02 – Chrome 140 privacy features; browser security
- 75:31 – Data brokers hide deletion pages
- 87:03 – Russia restricts secure messaging; state-controlled MAX
- 90:44 – NIST’s lightweight crypto for IoT
- 111:29 – SyncThing 2.0 release: features, warnings
- 128:43 – Main topic: ScriptCase vulnerability; lesson for the enterprise; protecting against the inevitable
- 159:03 – Rant: Don’t expose the non-public; “authentication always fails”; shift blame
Bottom Line
The “sad case of ScriptCase” is a microcosm of how not just bugs, but bad operational decisions—placing non-public tools on the internet—are the direct cause of modern ransomware and breaches. Security posture must assume both bugs and attackers are a constant, and only expose to the world what is meant for the world. The rest stays inside, or risk sharing ScriptCase's sad fate.
Security Now will return next week for the start of year 21. Live long and prosper, everyone!