Security Now #1056: Australia – React's Perfect 10 Mess
Date: December 17, 2025
Hosts: Steve Gibson & Leo Laporte
Overview
This episode centers on two major themes rocking the cybersecurity world: Australia's bold social media age-verification law (now live), and the devastating React "Perfect 10" vulnerability being exploited globally. Steve and Leo discuss the real-world fallout, technical insights, and philosophical debates around privacy, open source, and nation-state attacks. They also cover breaking news on Home Depot's security failures, the dangers of AI-generated code, the evolving threat to US infrastructure from Chinese state actors, Let's Encrypt's looming milestone (and risks), Steve's DNS Benchmark progress, and a rich batch of listener feedback.
Major Discussion Points
1. Australia's Social Media Age Ban
- What's Happening: As of last week, Australia requires rigorous age verification for access to social media, targeting users under 16.
- Technology in Action: Verification relies largely on facial age estimation—so flawed that it's easily fooled by makeup, facial expressions, or just having an older friend look at the camera.
- On-the-Ground Reactions:
- Some teens are relieved to be denied access, ending social pressure.
- Many are getting through by gaming the system.
- Parents are divided: some wanted restrictions; others are exasperated at the system's failures.
- Global Implications: Other governments, especially the EU, are watching closely. Technology’s reputation has taken a hit as its limitations are exposed.
“This is not technology’s proudest time.” – Steve Gibson (1:50:44)
- Listener Perspectives:
- Bruce French (Australian): Reports the ban as a “non-event” for most adults; majority public support within Australia, with issues mostly at the margins. (2:35:56)
- Jane: Raises concerns over “privacy-preserving” solutions that still allow for government subpoenas, Apple or Google as gatekeepers, and how this erodes the ability to use privacy-respecting OSes (like GrapheneOS or Linux). (2:44:50)
- Steve’s Synthesis: Control is coming, whether we like it or not. The focus for privacy advocates now should be to demand the most privacy-respecting technical solution possible (ideally, one-time anonymous age assertion with no continuing identification).
“The question is no longer whether or not internet users are going to be able to continue to enjoy completely unfettered access to any resource anywhere they choose. They're not. That's over…Our various governments are taking those days away.” – Steve (2:44:20)
2. React's "Perfect 10" Mess & Real-World Attacks
- Background:
- A major code execution vulnerability (CVSS 10/10) in React/Next.js was disclosed and rapidly weaponized.
- Google Threat Intelligence observed coordinated state-sponsored exploitation (mostly China/Iran), deploying backdoors, downloaders, and cryptominers.
- The attack chain: using the vulnerability to download scripts and persistent malware (e.g., Minocat, Snowlight, HisSonic), establish backdoors, and pivot further inside networks. (2:40:00)
- Broader Impact:
- Patching is now a race; compromised servers may require a wipe-and-rebuild due to persistence mechanisms.
- Further code audit turned up more vulnerabilities immediately after the public disclosure.
- Steve’s Concern:
"These are not theoretical attacks. They are actually happening to real people and organizations...the machine has already been owned and will continue to be owned until the specific modifications and malware are removed." – Steve (1:28:44)
3. Chinese Targeting of US Critical Infrastructure
- New Research: Chinese entities have published 2,723 papers (many untranslated) on US power grid vulnerabilities, with at least 225 focused on attack simulations and exploit strategies (2010–present).
- Hardware Supply Chain Risk: Almost half of US inverters and battery energy storage systems (solar, grid) come from high-risk Chinese manufacturers with known or potential government ties.
- Steve’s Analysis:
"It's like the Cold War again, only in cyberspace... Let’s hope no one ever makes the mistake of pulling any triggers." – Steve (1:22:00)
4. Home Depot's Security Lapses
- Incident:
- Researcher Ben Zimmerman found exposed GitHub access tokens giving write access to Home Depot's internal code repositories and cloud systems (possibly for nearly two years).
- Home Depot ignored multiple responsible disclosure attempts until TechCrunch intervened.
- Takeaway:
- Highlights the gap in IT maturity and policy at large, non-tech-first enterprises.
- Unknown if unauthorized access occurred; situation “doesn’t look good.”
“Do they have logs? Do they even care if they have them? We don't know anything…but what we do know doesn't look good.” – Steve (0:29:14)
5. AI-Generated Code—A Real-World Threat to Open Source Ecosystems
- Case Study: GNOME shell extension manager reports an onslaught of poorly-understood, AI-generated code submissions—bloated, over-engineered, or simply nonsensical—that pass basic functional tests but pollute code quality and best practices.
- Key Issues:
- Complete lack of context by AI; code “works” but with extra/unnecessary constructs (e.g., redundant try-catch blocks).
- If not systematically reviewed and cleaned, such "slop" can propagate as AI trains on previous AI-created examples (“infection” of open source).
- Comment:
“AI is producing code that it does not understand… If it works, the bloat persists and AI re-trains on it, amplifying bad practices.” – Steve (0:51:18)
6. Open Source Repos Under Siege
- Stats (2025):
- 86% increase in malicious submissions vs. 2024.
- Over a million obfuscated, suspicious, or outright malicious packages detected.
- Incidents: URL-based malware injection, precompiled binaries, “typosquatting”, dependency confusion, spam, and targeted espionage campaigns.
- Steve:
“It's very straightforward to author and publish NPM packages... the altruistic goal of open source is now a target—a playground for attackers.” (0:61:00–1:06:00)
- Advice: Vigilance; manual inspection remains essential; beware that dynamic (URL-fetched) modules could change after the inspection.
7. Let’s Encrypt – Success, Risk, and a Single Point of Failure
- Milestone: On pace for 1 billion active live certificates in 2026, renewing at the rate of 10 million per day.
- Risks:
- Short-lived certificates mean if Let’s Encrypt goes down, websites could lose HTTPS by the millions per day.
- The drive toward ever-shorter certificate validity (mostly pushed by Apple and the CA Browser forums) creates a non-distributed, Internet-scale single point of failure.
- Steve:
“The genius of the Internet's design has always been its distributed diversity—without any single point of failure. This changes that. I hope we know what we're doing.” (1:10:45)
8. Listener Feedback & Community Wisdom
- Age Verification – Secondary Risks:
- Scott (Canada): Notes age token systems could reveal your birthday (when you sign up exactly on it), adding a new tracking marker for marketers and attackers.
- Mr. Gecko: Argues that cryptographically enforced age systems risk locking out open source users and those on non-mainstream OS/browser stacks.
- Botnet IP Checks:
- DHCP churn and carrier-grade NAT mean anyone checking their IP for bot activity may get ambiguous results. Stick with the same IP and/or understand the caveats.
Notable Quotes & Moments
-
On the cultural impact of security:
“If you lost your Google account, what would happen? What if you lost your Apple account, what would happen?” – Leo Laporte (0:16:29)
"I've seen a complete collapse of user support—like true customer concern... you're going to get some robot chatbot." – Steve (0:16:48) -
On open source repositories:
“The entire system is built on the assumption of goodwill...nothing is more prone to abuse.” – Steve (0:59:54)
-
On AI and code:
“Some future coding AI…will look at code emitted by these early LLMs and shake its electronic head.” – Steve (0:55:53)
-
On surveillance and privacy:
“The commercial interests such as Apple and Google have grown into monopolies...and our governments are unhappy that the Internet fights against their desire to monitor and control what their citizens are allowed to do.” – Steve (2:44:25)
-
On government control:
“Doesn't mean we have to accept it...I'm not going to unplug. I'm going to resist.” – Leo (2:70:28)
Key Timestamps
| Time | Segment | |--------------|--------------------------------------------------------------------------------------| | 00:53–03:07 | Overall preview: Australia ban, React Perfect 10, Home Depot, GNOME/AI, China, etc. | | 22:45 | Home Depot ignores major security warning | | 36:36 | GNOME's manager on AI-generated code bloat | | 59:07 | State of open source repositories—malware surge | | 74:58 | China’s research on & infiltration of US critical infrastructure | | 83:42 | Real-world exploitation of React's “Perfect 10” vulnerability | | 101:15 | Let’s Encrypt milestone and associated risk | | 144:01 | Listener feedback, Stealth mode origins | | 150:31 | Deep Dive: Australia’s social media ban post-launch, listener perspectives, wider implications |
Conclusion
This wide-ranging episode captures the tension between security, usability, privacy, and control—across continents, legal regimes, and technical communities. Steve and Leo highlight that the world is rapidly moving toward more controlled (and surveilled) models of the Internet, whether through regulation or market power. But there remains hope for privacy-preserving solutions and—crucially—a vigilant, informed public willing to question and challenge the direction of technological change.
Steve’s closing advice:
“If it’s going to happen, we can do it with minimal loss of privacy from a technology standpoint. The rest is politics... We want the least invasion of our privacy possible.” – Steve (2:71:17)
[End of Summary]