Episode Overview

Title: SANS Stormcast Tuesday, October 28, 2025: Bytes over DNS; Unifi Access Vuln; OpenAI Atlas Prompt Injection
Host: Johannes B. Ullrich
Theme:
A fast-paced daily rundown of noteworthy cybersecurity events. Today's episode dives into the practicality of DNS covert channels and allowed hostname characters, a critical vulnerability in Unifi Access control systems, and the prompt injection risks introduced by OpenAI's Atlas browser. Each segment not only covers recent findings but contextualizes their impact for defenders and practitioners.

Key Discussion Points & Insights

1. Which Bytes Can Be Sent Over DNS Hostnames? (Bytes over DNS)

[00:16–02:12]

• Didier Ran an Experiment:
  Explored which characters can be practically transmitted as a hostname in DNS queries.
• RFC Allowances vs Reality:
  • RFCs technically allow upper/lowercase letters, numbers, dash (-), underscore (_), and dots (.) for label separation.
  • Real-world constraints stem from both OS resolver libraries and the chosen recursive DNS resolver.
• Operating System Differences:
  • Windows Resolver Library: “Quite restrictive. It only allows the standard characters.” (Johannes, 00:47)
  • Linux (Ubuntu as example): “Less picky and does allow pretty much any character in the standard ASCII set. So any 7 bit character from 0 through 7F.” (Johannes, 00:56)
• When Using Custom Resolvers (e.g., Python Libraries):
  • The only constraint becomes the resolver itself (Cloudflare or Google).
  • Both allow nearly any character.
• Special Note on Google:
  • Applies an XOR scheme to mangle the case of characters, making data essentially case-insensitive as an anti-spoofing measure.
• Cloudflare Preference:
  • “Try use Cloudflare as your recursive resolver because they are really just transmitting whatever you send.” (Johannes, 01:36)
• TXT Records Bypass Restrictions:
  • For text records, any character representation is possible.
• Practical Guidance:
  • Know your limits—especially if using DNS for covert channels or exfiltration.

2. Critical Unifi Access Vulnerability

[02:13–03:21]

• Unifi Access Product:
  • Controls physical access, like door locks.
• Vulnerability Details:
  • Identified by Catchify Security; critical (CVSS 10.0 score).
  • “Would allow an attacker without authentication to gain full access to the API of Unifi Access.” (Johannes, 02:34)
• Potential Impact:
  • Bypass of physical security controls.
  • Full controller compromise and likely arbitrary code execution.
• Current Knowledge:
  • No exploitation details released yet.
  • No known exploits in the wild as of recording, but “I imagine that an exploit is probably available within a couple days.” (Johannes, 03:01)
• Host’s Security Hygiene Reminder:
  • “Make sure that you're blocking access to these type of APIs.” (Johannes, 02:54)
• Speculation:
  • Could be due to a hardcoded password or an oversight in header checking.

3. AI in Browsers and Prompt Injection: OpenAI Atlas Case

[03:22–04:24]

• Broader Context:
  Web browsers are already highly exposed—adding AI, as with OpenAI’s Atlas Browser, introduces further risk.
• Prompt Injection Issue:
  • “Just like with any other AI tool, they did not separate control plane and data plane, they mix it all together and URLs may now include instructions for the browser for the OpenAI part of the browser, which then can lead to data leakage.” (Johannes, 03:39)
• Demonstration:
  • Neuraltrust showed how URLs can include instructions (prompt injection) exploiting the AI assistant in the browser.
  • Other researchers have demonstrated similar flaws.
• Inherent AI Security Problem:
  • Text from potentially malicious web content (e.g., a crafted URL) can trigger unsafe behavior in the AI, including data exfiltration.
• Practical Guidance:
  • “Don't use these browsers for now, at least not on a production system. Definitely experiment with them and maybe you'll find some other neat new jailbreaks and prompt injections for these browsers.” (Johannes, 04:16)

Notable Quotes & Memorable Moments

• On DNS Allowed Characters:
  “The Windows resolver library actually is quite restrictive. It only allows the standard characters. Linux on the other hand... is less picky and does allow pretty much any character in the standard ASCII set.” (Johannes, 00:47 & 00:56)
• On DNS Covert Channels:
  “If you're using DNS covert channels, try use Cloudflare as your recursive resolver because they are really just transmitting whatever you send.” (Johannes, 01:36)
• On Unifi Vulnerability:
  “It does have a perfect score of 10 and would allow an attacker without authentication to gain full access to the API of Unifi Access.” (Johannes, 02:34)
• On AI Browser Risks:
  “What better than add AI to the attack surface? ...they did not separate control plane and data plane, they mix it all together and URLs may now include instructions...” (Johannes, 03:30-03:39)
• AI Browser Caution:
  “Don't use these browsers for now, at least not on a production system.” (Johannes, 04:16)

Key Timestamps

• 00:16–02:12 — Bytes over DNS: Allowed hostname characters across OSes and resolvers
• 02:13–03:21 — Unifi Access critical vulnerability & potential security implications
• 03:22–04:24 — OpenAI Atlas, AI in browsers, and prompt injection risks

This episode illustrates that technical standards and real-world security constraints often diverge, and that both old (DNS) and new (AI) technologies bring exfiltration and exploitation risks when not well-contained. Practitioners are advised to heed evolving vulnerabilities—especially with high impact devices and novel AI-powered endpoints.