Summary4 min read

SANS Stormcast – April 24, 2026: Apple Update, Bitwarden Compromise, ASP.NET Core Patch

Overview

In this episode, Johannes B. Ullrich delivers a concise yet impactful rundown of the latest critical security developments. The main topics include a notable Apple iOS/iPadOS update addressing a sensitive data retention flaw, the compromise of Bitwarden’s command-line tools linked to a broader supply chain attack, and a just-released emergency ASP.NET Core patch dealing with cryptographic vulnerabilities. Ullrich provides expert context and practical recommendations for each issue, focusing on both immediate actions and broader security lessons.

Key Discussion Points and Insights

1. Apple Notification Center Vulnerability

[00:16–02:27]

Patch Details:
- Apple released an update for iOS and iPadOS fixing a single, albeit significant, vulnerability.
- The vulnerability involved the Notification Center. Notifications marked for deletion weren’t properly deleted.
Exploitation Evidence:
- Official Apple notes didn’t confirm exploitation, but Ullrich points out its use in a recent criminal case:
  
  “...the FBI was able to recover at least partial Signal messages by looking at these notifications that were not deleted.” [01:01]
Broader Impact:
- This kind of flaw is particularly problematic for secure messaging apps:
  
  “It’s a common problem with secure messengers that if they are using these built-in operating system messaging components, ...artifacts of sending or receiving messages may often be retained...” [01:19]
Best Practices:
- Signal users could previously disable notifications to mitigate, but the OS-level fix is now in place.
Security Lesson:
- OS components may not align with the strict threat models of secure apps, leading to unintended data exposure.

2. Bitwarden Command-Line Tool Compromise

[02:28–04:31]

Incident Summary:
- Bitwarden’s command-line tools fell victim to a supply chain attack, likely tied to the checkmarks/kicks compromise discussed in the previous episode.
Attack Vector:
- The attackers compromised a GitHub worker, likely through stolen credentials (GitHub API keys) harvested in a prior breach.
- Ullrich notes the overlap in attack infrastructure:
  
  “What is however confirmed is that both compromises use identical infrastructure, identical malware that is being deployed.” [03:37]
Scope and Impact:
- The attack targets command-line users. Browser plugins and other Bitwarden components are not believed affected.
- The malware hasn't been observed stealing Bitwarden vault secrets yet—but that could change.
Recommended Actions:
- Users should:
  - Double-check the last update times and versions of any Bitwarden command-line components.
  - Avoid updating these components until further clarity emerges.
  - Remain alert for official Bitwarden communications.
  “Probably refrain from updating these components for the next couple days, at least until we really know all the details and the real impact and scope of this compromise.” [04:01]

3. Emergency Patch for ASP.NET Core Data Protection Library

[04:32–05:17]

Vulnerability Details:
- Microsoft issued an emergency fix for the Data Protection library, affecting .NET developers who distribute new applications.
- The bug involved improper verification of cryptographic signatures—enabling a padding oracle attack.
  
  “The problem with this library was that it didn’t verify some of the cryptographic signatures correctly, which did allow an attacker to essentially spoof other users using a padding Oracle exploit.” [04:51]
- Similar exploit context as MS10-070 from 2010.
Mitigation Steps:
- Developers must:
  - Update the affected library via NuGet.
  - Re-release any applications built using the vulnerable code.
  - Rotate credentials, as secret material may have been exposed.
  “...you must re-release your applications that used the vulnerable library and also you must rotate credentials because, well, any keys and such that you used in your application may have been compromised.” [05:07]

Notable Quotes & Memorable Moments

On Apple’s Update and the real-world exploit:

“It does describe it as a vulnerability in Notification Center where notifications that are marked for deletion are not actually deleted. And exactly this particular vulnerability was noted in a press description of a recent criminal case in which the FBI was able to recover at least partial Signal messages by looking at these notifications that were not deleted.”
— Johannes B. Ullrich [01:00]
On persistent risks of OS notifications:

“This isn’t fundamentally new. And in Signal you had the option to disable notifications, but now Apple also fixed the bug vulnerability that notification artifacts were not necessarily deleted even though the application marked them as to be deleted.”
— Johannes B. Ullrich [01:46]
On the ongoing Bitwarden investigation:

“So if you are affected by either of these compromises, expect all of your GitHub keys and other credentials to be stolen.”
— Johannes B. Ullrich [03:44]
On the ASP.NET cryptography flaw:

“The problem with this library was that it didn’t verify some of the cryptographic signatures correctly, which did allow an attacker to essentially spoof other users using a padding Oracle exploit.”
— Johannes B. Ullrich [04:52]

Timestamps for Important Segments

[00:16] Apple Patch Introduction & Vulnerability Explanation
[01:00] Context of Exploitation in Criminal Case
[02:28] Bitwarden Compromise and Supply Chain Context
[03:37] Confirmation of Attack Infrastructure Overlap
[04:32] ASP.NET Data Protection Library Patch Advisory
[05:07] Credential Rotation Recommendation for Developers

Actionable Takeaways

Apple Users:
- Update to the latest iOS/iPadOS version to ensure deleted notifications are not recoverable.
Bitwarden Command-Line Users:
- Hold off updating tools, verify version histories, monitor for official advisories, and treat any credentials or API keys as possibly exposed.
.NET Developers:
- Patch the Data Protection library immediately, rotate any secrets used, and re-distribute applications.

Host: Johannes B. Ullrich
Date: April 24, 2026
Location: Amsterdam, Netherlands

For further updates and announcements, follow the SANS Internet Stormcenter.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Friday, April 24, 2026 edition of the sans Internet Storms Runners Stormcast. My name is Johannes Ulrich, recording today from Amsterdam, Netherlands and this episode is brought to you by the SANS Edu Graduate Certificate Program. In Incident response today, I wrote a quick diary about a patch that Apple released yesterday. This pat fixes a single vulnerability in iOS and iPadOs. And while it's not unusual for Apple to release these sort of single vulnerability updates, these updates are usually reserved for currently exploited vulnerabilities. And Apple's description of the vulnerability does not actually note that it's already exploited. On the other hand, well, the nature of the vulnerability, it does describe it as a vulnerability in Notification center where, where notifications that are marked for deletion are not actually deleted. And exactly this particular vulnerability was noted in a press description of a recent criminal case in which the FBI was able to recover at least partial signal messages by looking at these notifications that were not deleted. So insofar it is certainly already an exploited vulnerability and also not a terribly difficult to exploit vulnerability. It's a common problem with secure messengers that if they are using sort of these built in operating system messaging components, that these components may well at the very least not encrypt the messages to the same standard as the originating application, but also that artifacts of sending messages or receiving messages may often be retained in these additional operating system components as they're usually not designed sort of for these threat models that these end to end encrypted messengers are often designed for. So this isn't fundamentally new. And in signal you had the option to disable notifications, but now Apple also fixed the bug vulnerability that notification artifacts were not necessarily deleted even though the application marked them as to be deleted. And yesterday I talked about the compromise of the Checkmarks Kicks tool. Well today we got our second victim of the same campaign, possibly as a follow on to the checkmarks compromise and that's bitwarden. Bitwarden, the password manager was compromised. In particular the command line tools were compromised. This compromised happened by actually compromising GitHub worker. Now part of the checkmarks compromise was to install malware that would recover and steal credentials like GitHub API keys. So it's very possible and likely that the Bitwarden developer here was affected by the checkmarks compromise, even though I haven't seen that confirmed yet. What is however confirmed is that both compromises use identical infrastructure, identical malware that is being deployed. So if you are affected by either of these compromises, expect all of your GitHub keys and other credentials to be stolen. This particular malware does not necessarily go after any secrets stored in Bitwarden, but of course that could change at any time, and definitely something to be aware of if you're affected by a compromise of the Bitwarden command line tools. Other parts of Bitwarden don't appear to be affected, like browser plugins and so on, but still probably be rather better safe than sorry. And double check when you last updated them what some of the versions are, and probably refrain from updating these components for the next couple days, at least until we really know all the details and the real impact and scope of this compromise. Haven't seen anything official from Bitwarden yet, but again it's developing story so may not have spotted the right blog post or where they sort of told their side of the story. What exactly happened. So far I base it mostly on what socket.dev wrote in their blog post. Well, and they're also the ones that uncovered the checkmarks exploit yesterday. Well and then we got an emergency update From Microsoft for ASP net, the data protection library. If you download that from NuGet, you should upgrade now. This only really affects developers who are developing for. Net. They of course must release new applications. The problem with this library was that it didn't verify some of the cryptographic signatures correctly, which did allow an attacker to essentially spoof other users using a padding Oracle exploit. They're comparing it and vulnerability patched back in 2010 Ms. 1070 that apparently fixed a similar vulnerability. So apply the update, it's available now. And yes, you must re release your applications that used the vulnerable library and also you must rotate credentials because, well, any keys and such that you used in your application may have been compromised. Well this is for today, so thanks for subscribing. Liking. And just a quick note, due to travel I probably will not be releasing a podcast on Monday. Depends a little bit on how late I get in on Sunday, but most likely it will be too late in order to still record a podcast for Monday.