Security Now – SN 1039: The Sad Case of ScriptCase – Data Brokers Dodge Deletion

Podcast: Security Now (TWiT) Hosts: Steve Gibson & Leo Laporte
Date: August 20, 2025

Overview

Episode 1039 marks the 20th anniversary of Security Now. Steve Gibson and Leo Laporte reflect on their two decades of providing in-depth security analysis. The main theme explores the widespread, systemic issues with deploying internal tools (like ScriptCase) to the public internet, highlighting a recent, critical ScriptCase vulnerability that serves as a cautionary tale for IT professionals everywhere.

The episode also covers a range of hot-button security topics:

The chronic problem of website and advertising economics in the AI age
Noteworthy breaches (Allianz Life) and the human element in social engineering
Major browser privacy updates (especially Chrome 140's improvements)
Data broker shenanigans to evade opt-out requirements
Lightweight cryptography for IoT via the new NIST standard
Russian messaging crackdowns
Syncthing’s major upgrade
The lessons (or lack thereof) learned from recurring software vulnerabilities

Episode Highlights

Celebrating 20 Years of Security Now

Milestone: The show’s “birthday” is August 19, 2005, with 20 years of consistent weekly episodes.
Reflections on Longevity:
- Steve Gibson (02:25): “It would be better if it felt like 20 years because time accelerates as you age…”
- Both hosts express gratitude to their loyal, knowledge-hungry audience and discuss the staying power and relevance of foundational security concepts.

The Cloudflare–Perplexity AI Clash & The Economic Shift in Content

AI Summaries Disrupt the Web:
- Site traffic and ad revenue are plummeting as AI search and summarizers provide "zero-click" answers.
- Steve (19:12): "It's quickly become clear… consumers simply want quick answers to their questions. They want them quickly and without a lot of muss and fuss. This has flipped the traditional economic model of the Internet on its head."
Publisher Struggles:
- Drop in page visits means less ad revenue; paywalls become harder and more frequent.
- Leo (27:02): “I don’t want to do a paywall either. Because… people who want to see this show… be able to see it for free, ad-supported… But if advertisers abandon podcasts… then the club is the only sensible way.”
The Need for a New Internet Economy:
- The sustainability of free/open content alongside AI's dependence on source material remains unresolved.

Major Breaches & The Human Element in Cybersecurity

Allianz Life’s Data Leak (31:55–44:00)

Allianz Life breach led to 2.8 million sensitive records exposed (SSNs, PII).
Attackers (ShinyHunters, Scattered Spider) exploited social engineering, specifically OAuth phishing:
- Steve (38:34): “Tricking employees into linking a malicious OAuth app with their company’s Salesforce instance… just diabolical.”
Victim blaming and the impossible burden on employees—security requires both technical and systemic redesign.
- Steve (39:48): “It’s… not fair that the good guys must always be perfect every time, while the bad guys only need to… create a single mistake once.”

The Zero Trust Imperative

Modern defenses must assume breach, distrust authenticated users internally.
Tools like Threat Locker and Thinkst Canary are promoted:
- Leo (46:42): “Zero trust is great, because you could install that OAuth as an employee, but it wouldn't be useful as malware until somebody with a higher level authorized it.”

Browser & Privacy Developments

Chrome 140’s Incognito Protections (55:02–64:00)

Script blocking coming to Incognito Mode: blocks execution of scripts known for third-party browser fingerprinting (but only for blacklisted domains and only in Incognito).
Chrome will mask user IPs for risky domains via proxying.
- Steve (56:07): “Not at all what, for example, Safari… or Brave browser is doing. This is better than nothing, but a far cry from what Brave is doing…”
Chrome 140 will also prompt before allowing local network access from public websites—a major advance in mitigating DNS rebinding and local device exploits.

Data Brokers: Dodging Opt-Out Requests (74:56–80:58)

The Markup’s Investigation:

499 data brokers must register with California.
At least 35 hid their opt-out/data deletion pages from search engines using "noindex" code, making it intentionally hard for consumers to find/delete their data.
- Steve (76:55): “This sounds to me like a clever workaround to make it as hard as possible for consumers to find it.” — quoting Consumer Reports’ Matthew Schwartz
Only after investigative reporting did some brokers remove the code. Most claim “it was an oversight.”
Data brokers exploit weak regulation; real consumer self-service deletion is nearly impossible in practice.

International Messaging Crackdowns & Crypto Standards

Russia Moves Against Encrypted Messaging (87:03–90:35)

Russia’s watchdog agency is blocking voice/video calls on WhatsApp and Telegram, under pretext of anti-fraud, but friction with telcos (who want more revenue) is suspected.
The Kremlin is pushing government officials (then citizens) towards a domestic, presumably surveilled messenger app (“Max”).

NIST Lightweight Cryptography for IoT (90:44–106:30)

Four ASCON algorithms finalized for resource-constrained devices, enabling stronger, more practical security in IoT.
- Steve (95:14): “All around us, everything is becoming smaller and lighter… and as these devices communicate through the air, privacy may be important.”
Explains concepts: AEAD (authenticated encryption with associated data) and right-sizing security for specific use cases (not every message needs AES-256 strength).

Software Upkeep & Upgrade Headaches

Syncthing 2.0 and Upgrade Anxiety (111:29–120:32)

Major backend and database changes, but “expect some rough edges”—not what you want from backup/sync tools.
Defaults to deleting records of deleted files after 15 months, multiple connections per device, drops support for many legacy platforms.
Steve (112:13): “Syncthing takes an honored place in the middle of my workflow, and adventure is not something I’m hoping to be treated to by my multi-system backup solution.”

Main Feature: The Sad Case of ScriptCase (128:43–164:50)

What Happened?

ScriptCase: A popular PHP low-code web app generator, often installed with its Production Console exposed to the public internet.
Critical Flaws (CVE-2025-47227 & 47228):
- Unauthenticated root password reset due to flawed session logic.
- Chained with an authenticated command injection: user-supplied input concatenated directly into SSH commands in the console.
Consequences:
- Around 2,800 ScriptCase servers detected exposed online, more than half still vulnerable a month after disclosure despite patches and PoCs.
- Public exploit chains require only a handful of curl commands to gain remote code execution.

Disclosure & Vendor Response

Synactive responsibly disclosed in February 2025; ScriptCase vendor was slow, non-communicative, and patching efforts were unclear and possibly incomplete.
Updates are so frequent (every few days) that update fatigue sets in; users stop patching, especially for non-mission-critical software.

The Real Lesson

Not Just a ScriptCase Problem: This is a systemic industry problem.
So many internal-use tools are placed on the public web needlessly—authentication is not a reliable security control (it fails regularly).
The impossibility of eliminating bugs or stopping every attacker; “zero day” threats are now a persistent condition, not an exception.
- Steve (160:13): “Any company that rigorously adopts and enforces the policy… of never having anything publicly visible unless that is the server's purpose, will automatically be protecting itself from all of the scriptcases now and in the future.”
Key Quote:
- Steve (164:46): “We’ve been blaming the wrong person. We've been blaming the authors of crappy software… and blaming hackers in Russia and China. But if it wasn't ever exposed to the Internet, the bad guys could never find it and the bugs could never hurt you.”

Notable Quotes & Moments

On Internet Content & AI

Steve (20:20): “Consumers simply want quick answers… the Internet is still, by and large, advertisement driven… and that AI summarizing has flipped [the model] on its head and killed it.”
Leo (30:01): “We thought the Internet was free… for 20 years we've told people… it's free. It's not. We need to find a way to make it work.”

On Social Engineering

Steve (39:48): “The good guys must always be perfect every time, while the bad guys only need… a single mistake once. The asymmetry is insane.”

On Public Exposure of Internal Tools

Steve (160:13): “Any company that… never has anything publicly visible unless that is the server's purpose, will automatically be protecting itself from all of the scriptcases now and in the future.”

Timestamps for Key Segments

| Time | Segment | |----------|------------------------------------------------| | 00:00 | Opening, 20-year anniversary reflections | | 19:00 | Cloudflare–Perplexity AI, web economics | | 31:55 | Allianz Life breach, OAuth phishing | | 55:02 | Chrome 140: Incognito fingerprint protection | | 74:56 | Data brokers: hiding opt-out/data deletion | | 87:03 | Russia bans encrypted messaging apps | | 90:44 | NIST’s new lightweight cryptography standard | | 111:29 | Syncthing upgrade headaches | | 128:43 | ScriptCase vulnerability deep dive (main topic) |

Themes & Takeaways

Internet security is both technical and behavioral. No safeguard works if system design assumes the best of users or tools.
The economics of the web are changing rapidly under AI. Content creation, access, and value need to realign.
Update fatigue is real, and insecure by design is rampant. Endless patch churn, especially in non-essential tools, creates widespread latent vulnerabilities.
Public access must be restricted to truly public servers. Always-on exposure of internal tools is a leading risk factor, regardless of vendor, codebase, or feature set.

In Summary

Today’s episode underscores that human error, weak policies, and misplaced trust—not bugs alone—are at the root of many security disasters. Security Now’s long history provides perspective: though attacks and bugs will never cease, smart architectural choices and a clear-eyed understanding of what is truly “public” remain the best defenses.

(End of summary. For full resources, see GRC.com & Twit.tv for show notes and transcript.)

Security Now – SN 1039: The Sad Case of ScriptCase – Data Brokers Dodge Deletion

Podcast: Security Now (TWiT) Hosts: Steve Gibson & Leo Laporte
Date: August 20, 2025

Overview

The episode also covers a range of hot-button security topics:

The chronic problem of website and advertising economics in the AI age
Noteworthy breaches (Allianz Life) and the human element in social engineering
Major browser privacy updates (especially Chrome 140's improvements)
Data broker shenanigans to evade opt-out requirements
Lightweight cryptography for IoT via the new NIST standard
Russian messaging crackdowns
Syncthing’s major upgrade
The lessons (or lack thereof) learned from recurring software vulnerabilities

Episode Highlights

Celebrating 20 Years of Security Now

Milestone: The show’s “birthday” is August 19, 2005, with 20 years of consistent weekly episodes.
Reflections on Longevity:
- Steve Gibson (02:25): “It would be better if it felt like 20 years because time accelerates as you age…”
- Both hosts express gratitude to their loyal, knowledge-hungry audience and discuss the staying power and relevance of foundational security concepts.

The Cloudflare–Perplexity AI Clash & The Economic Shift in Content

AI Summaries Disrupt the Web:
- Site traffic and ad revenue are plummeting as AI search and summarizers provide "zero-click" answers.
- Steve (19:12): "It's quickly become clear… consumers simply want quick answers to their questions. They want them quickly and without a lot of muss and fuss. This has flipped the traditional economic model of the Internet on its head."
Publisher Struggles:
- Drop in page visits means less ad revenue; paywalls become harder and more frequent.
- Leo (27:02): “I don’t want to do a paywall either. Because… people who want to see this show… be able to see it for free, ad-supported… But if advertisers abandon podcasts… then the club is the only sensible way.”
The Need for a New Internet Economy:
- The sustainability of free/open content alongside AI's dependence on source material remains unresolved.

Major Breaches & The Human Element in Cybersecurity

Allianz Life’s Data Leak (31:55–44:00)

Allianz Life breach led to 2.8 million sensitive records exposed (SSNs, PII).
Attackers (ShinyHunters, Scattered Spider) exploited social engineering, specifically OAuth phishing:
- Steve (38:34): “Tricking employees into linking a malicious OAuth app with their company’s Salesforce instance… just diabolical.”
Victim blaming and the impossible burden on employees—security requires both technical and systemic redesign.
- Steve (39:48): “It’s… not fair that the good guys must always be perfect every time, while the bad guys only need to… create a single mistake once.”

The Zero Trust Imperative

Modern defenses must assume breach, distrust authenticated users internally.
Tools like Threat Locker and Thinkst Canary are promoted:
- Leo (46:42): “Zero trust is great, because you could install that OAuth as an employee, but it wouldn't be useful as malware until somebody with a higher level authorized it.”

Browser & Privacy Developments

Chrome 140’s Incognito Protections (55:02–64:00)

Script blocking coming to Incognito Mode: blocks execution of scripts known for third-party browser fingerprinting (but only for blacklisted domains and only in Incognito).
Chrome will mask user IPs for risky domains via proxying.
- Steve (56:07): “Not at all what, for example, Safari… or Brave browser is doing. This is better than nothing, but a far cry from what Brave is doing…”
Chrome 140 will also prompt before allowing local network access from public websites—a major advance in mitigating DNS rebinding and local device exploits.

Data Brokers: Dodging Opt-Out Requests (74:56–80:58)

The Markup’s Investigation:

499 data brokers must register with California.
At least 35 hid their opt-out/data deletion pages from search engines using "noindex" code, making it intentionally hard for consumers to find/delete their data.
- Steve (76:55): “This sounds to me like a clever workaround to make it as hard as possible for consumers to find it.” — quoting Consumer Reports’ Matthew Schwartz
Only after investigative reporting did some brokers remove the code. Most claim “it was an oversight.”
Data brokers exploit weak regulation; real consumer self-service deletion is nearly impossible in practice.

International Messaging Crackdowns & Crypto Standards

Russia Moves Against Encrypted Messaging (87:03–90:35)

Russia’s watchdog agency is blocking voice/video calls on WhatsApp and Telegram, under pretext of anti-fraud, but friction with telcos (who want more revenue) is suspected.
The Kremlin is pushing government officials (then citizens) towards a domestic, presumably surveilled messenger app (“Max”).

NIST Lightweight Cryptography for IoT (90:44–106:30)

Four ASCON algorithms finalized for resource-constrained devices, enabling stronger, more practical security in IoT.
- Steve (95:14): “All around us, everything is becoming smaller and lighter… and as these devices communicate through the air, privacy may be important.”
Explains concepts: AEAD (authenticated encryption with associated data) and right-sizing security for specific use cases (not every message needs AES-256 strength).

Software Upkeep & Upgrade Headaches

Syncthing 2.0 and Upgrade Anxiety (111:29–120:32)

Major backend and database changes, but “expect some rough edges”—not what you want from backup/sync tools.
Defaults to deleting records of deleted files after 15 months, multiple connections per device, drops support for many legacy platforms.
Steve (112:13): “Syncthing takes an honored place in the middle of my workflow, and adventure is not something I’m hoping to be treated to by my multi-system backup solution.”

Main Feature: The Sad Case of ScriptCase (128:43–164:50)

What Happened?

ScriptCase: A popular PHP low-code web app generator, often installed with its Production Console exposed to the public internet.
Critical Flaws (CVE-2025-47227 & 47228):
- Unauthenticated root password reset due to flawed session logic.
- Chained with an authenticated command injection: user-supplied input concatenated directly into SSH commands in the console.
Consequences:
- Around 2,800 ScriptCase servers detected exposed online, more than half still vulnerable a month after disclosure despite patches and PoCs.
- Public exploit chains require only a handful of curl commands to gain remote code execution.

Disclosure & Vendor Response

Synactive responsibly disclosed in February 2025; ScriptCase vendor was slow, non-communicative, and patching efforts were unclear and possibly incomplete.
Updates are so frequent (every few days) that update fatigue sets in; users stop patching, especially for non-mission-critical software.

The Real Lesson

Not Just a ScriptCase Problem: This is a systemic industry problem.
So many internal-use tools are placed on the public web needlessly—authentication is not a reliable security control (it fails regularly).
The impossibility of eliminating bugs or stopping every attacker; “zero day” threats are now a persistent condition, not an exception.
- Steve (160:13): “Any company that rigorously adopts and enforces the policy… of never having anything publicly visible unless that is the server's purpose, will automatically be protecting itself from all of the scriptcases now and in the future.”
Key Quote:
- Steve (164:46): “We’ve been blaming the wrong person. We've been blaming the authors of crappy software… and blaming hackers in Russia and China. But if it wasn't ever exposed to the Internet, the bad guys could never find it and the bugs could never hurt you.”

Notable Quotes & Moments

On Internet Content & AI

Steve (20:20): “Consumers simply want quick answers… the Internet is still, by and large, advertisement driven… and that AI summarizing has flipped [the model] on its head and killed it.”
Leo (30:01): “We thought the Internet was free… for 20 years we've told people… it's free. It's not. We need to find a way to make it work.”

On Social Engineering

Steve (39:48): “The good guys must always be perfect every time, while the bad guys only need… a single mistake once. The asymmetry is insane.”

On Public Exposure of Internal Tools

Steve (160:13): “Any company that… never has anything publicly visible unless that is the server's purpose, will automatically be protecting itself from all of the scriptcases now and in the future.”

Timestamps for Key Segments

Themes & Takeaways

Internet security is both technical and behavioral. No safeguard works if system design assumes the best of users or tools.
The economics of the web are changing rapidly under AI. Content creation, access, and value need to realign.
Update fatigue is real, and insecure by design is rampant. Endless patch churn, especially in non-essential tools, creates widespread latent vulnerabilities.
Public access must be restricted to truly public servers. Always-on exposure of internal tools is a leading risk factor, regardless of vendor, codebase, or feature set.

In Summary

(End of summary. For full resources, see GRC.com & Twit.tv for show notes and transcript.)

SN 1039: The Sad Case of ScriptCase - Data Brokers Dodge Deletion

Powered by Wave AI

Summary

Security Now – SN 1039: The Sad Case of ScriptCase – Data Brokers Dodge Deletion

Overview

Episode Highlights

Celebrating 20 Years of Security Now

The Cloudflare–Perplexity AI Clash & The Economic Shift in Content

Major Breaches & The Human Element in Cybersecurity

Allianz Life’s Data Leak (31:55–44:00)

The Zero Trust Imperative

Browser & Privacy Developments

Chrome 140’s Incognito Protections (55:02–64:00)

Data Brokers: Dodging Opt-Out Requests (74:56–80:58)

The Markup’s Investigation:

International Messaging Crackdowns & Crypto Standards

Russia Moves Against Encrypted Messaging (87:03–90:35)

NIST Lightweight Cryptography for IoT (90:44–106:30)

Software Upkeep & Upgrade Headaches

Syncthing 2.0 and Upgrade Anxiety (111:29–120:32)

Main Feature: The Sad Case of ScriptCase (128:43–164:50)

What Happened?

Disclosure & Vendor Response

The Real Lesson

Notable Quotes & Moments

On Internet Content & AI

On Social Engineering

On Public Exposure of Internal Tools

Timestamps for Key Segments

Themes & Takeaways

In Summary

Summary

Security Now – SN 1039: The Sad Case of ScriptCase – Data Brokers Dodge Deletion

Overview

Episode Highlights

Celebrating 20 Years of Security Now

The Cloudflare–Perplexity AI Clash & The Economic Shift in Content

Major Breaches & The Human Element in Cybersecurity

Allianz Life’s Data Leak (31:55–44:00)

The Zero Trust Imperative

Browser & Privacy Developments

Chrome 140’s Incognito Protections (55:02–64:00)

Data Brokers: Dodging Opt-Out Requests (74:56–80:58)

The Markup’s Investigation:

International Messaging Crackdowns & Crypto Standards

Russia Moves Against Encrypted Messaging (87:03–90:35)

NIST Lightweight Cryptography for IoT (90:44–106:30)

Software Upkeep & Upgrade Headaches

Syncthing 2.0 and Upgrade Anxiety (111:29–120:32)

Main Feature: The Sad Case of ScriptCase (128:43–164:50)

What Happened?

Disclosure & Vendor Response

The Real Lesson

Notable Quotes & Moments

On Internet Content & AI

On Social Engineering

On Public Exposure of Internal Tools

Timestamps for Key Segments

Themes & Takeaways

In Summary