Handler on Duty: Xavier Mertens
Threat Level: green
Podcast Detail
SANS Stormcast Thursday, July 2nd, 2026: MetaMask Phishing; Adobe Patches; Google Chrome Patches; Apple Hide-My-Email Vuln
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9992.mp3
My Next Class
Click HERE to learn more about classes Johannes is teaching for SANS
Why Ask Credentials If There Are Secret Codes?
https://isc.sans.edu/diary/Why%20Ask%20Credentials%20If%20There%20Are%20Secret%20Codes%3F/33118
Adobe Patches and Updated Patch Release Policy
https://helpx.adobe.com/security/Home.html
https://blog.adobe.com/security/protecting-customers-faster-how-adobe-is-responding-to-ai-accelerated-vulnerability-discovery
Google Chrome Update (link had issues loading while recording)
https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html
Apple Hide My Email Vulnerability
https://www.404media.co/apple-hide-my-email-vulnerability-reveals-peoples-real-email-addresses/
My Upcoming Classes
https://www.sans.org/profiles/dr-johannes-ullrich
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 13th - Jul 18th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Online | British Summer Time | Jul 27th - Aug 1st 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 21st - Sep 25th 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Nov 9th - Nov 14th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 14th - Dec 18th 2026 |
Podcast Transcript
Hello and welcome to the Thursday, July 2nd, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Riyadh, Saudi Arabia. And this episode is brought to you by the SANS .edu Graduate Certificate Program in Purple Team Operations. That is a reminder, there will be no podcast tomorrow on Friday, part because of July 4th and also because of my travel schedule. Xavier came across a real interesting phishing email. Now this particular phishing email targets MetaMask. MetaMask is an app and a browser extension used for crypto coins or crypto coin wallet and of course with that attractive target. But the approach they are taking here for phishing is a little bit different. Now MetaMask, like many websites, particularly if they are crypto coin related, does require and encourage to use multi-factor authentication. So that basically renders some of the simple phishing attempts useless. But in this particular case, the attacker is going after a secret phrase the user establishes in order to reset their authentication option. So when you're signing up for MetaMask as part of the signup process, this secret phrase is established. It's not used to usually login. It's used more as a password recovery token, as a backup in case you're losing your username and second factor. And that's exactly what the attacker is abusing here. So essentially the password reset feature. The problem here of course is how do you securely recover an account if the second factor is lost. A lot of websites and such are relying on a type of sort of one-time password or a secret random string that's established when you're setting up the second factor. And that of course is still phishable as this particular attempt shows. Personally, I haven't really actually come up with sort of a great secure and still usable and reasonably easy and cheap to implement solution to solve the lost second factor problem. Usually we talk about Adobe patches on Patch Tuesday, which was two weeks ago. But it looks like Adobe is making some changes to how they are going to release patches. In part because customers are of course asking for a faster patch cycle. Adobe now is adopting a two -week patch release cycle. So you will get new Adobe patches on the second and the fourth Tuesday of each month. And this month, well they started for the first time. It got patches for 11 different products. Two of my favorites are among them ColdFusion and Adobe Acrobat Reader. Both of them do contain arbitrary code execution vulnerabilities. So definitely something that you do want to address. In particular of course, as usual with the ColdFusion product, which tends to be a little bit more exposed. And I'll talk about having to deal with more and more patches and vulnerabilities. Google released an update for Google Chrome patching this month 382 vulnerabilities. Now, last month we had a new record release with something like 400 or so vulnerabilities being patched. So the number is going down. But it looks like this may at least for now be sort of the new normal to have like hundreds of vulnerabilities being patched each month. Or how often Google decides to release new versions of Google Chrome. So a year ago or so it was more like a dozen or so that we had each month or in each release. So this is certainly sort of an order of magnitude increase to what we used to have. The hope of course is that eventually, well, they'll find all the bugs. But so far it looks like there are still plenty of vulnerabilities to find. According to Joseph Cox with 404 Media, Apple's Hide by Email service does contain an unpatched vulnerability that allows attackers to unmask the identity behind these temporary and anonymous email addresses that Apple makes available to its Apple Plus customers. The problem here is that if you are sending an email with an oversized attachment to the email address, you're getting a bounce back because he's stating that the attachment is too large. And as part of the bounce, the actual email address of the user that is obfuscated supposedly behind the hide my email address is revealed. So this is one of those bugs where, well, the attachment isn't blocked when it's initially received by Apple's mail server, but only after they attempt to actually deliver it to the actual email address of the owner of the particular account. So be careful with these anonymous email servers in general. There are usually some leaks like this in the service, not the first time that you would have like bounces revealing the actual identity of a particular email user. But of course, you still also have the issue with HTML emails and the like that may load content from third party sites that then an attacker is able to follow up on or identify the source of the request for. Well, and this is it for today. So thanks for listening. Thanks for liking. Thanks for recommending and any kind of feedback for this podcast. Remember, no podcast tomorrow. So, talk to you again on Monday. Bye.





