Vulnerability Lets Hackers Do Cryptomining on Your Selenium Grid
Sauce AI for Test Authoring: Move from spirit to performance in second.|xBack to ResourcesBlogPosted
Sauce AI for Test Authoring: Move from spirit to performance in second.
|
x
Blog
Vulnerability Lets Hackers Do Cryptomining on Your Selenium Grid
The remedy is simple but still impacts your operation.

Hacker Newsrecently accounta hacker crusade “ place older variant of Selenium (3.141.59 and prior). ” Allegedly, the organise campaign has been move on since April of last yr. The attack would allow a malicious exploiter to run the XMRig crypto-miner on your in-house Selenium grid, potentially running up your AWS or Azure account into the million of clam if undetected.
The remedy is to raise your instance to the latest variant and assure firewall permissions and authentications are configured properly.
Security firm, Wiz, who discovered the exposure, identify more than 30,000 instances of Selenium that are exposed to the threat. That ’ s a lot of administrators who will (or should be) spending unintentional time on remediation this week - taking them away from their regular undertaking and potentially delaying this week ’ s release while they fix, test, deploy,and attestthe fix is in place.
That last step (attestation) is peculiarly crucial to any regulated organization. Undetected outside code execution on your infrastructure would have a material impingement on the organisation ’ s endangerment bearing.
The Selenium executivewould have to prove the fix was in place.
The Risk Stewardwould have to review the fix against current policies and touchstone.
The Risk Management squadwould need evidence the fix was effective so they can report to the CISO and to external regulators.
The CISOwould also have to explain to the Board how the vulnerability happened, what steps are in place to ensure something alike doesn ’ t recur, and the potential wallop on the fellowship ’ s brand or inventory toll.
That ’ s a lot of unplanned work for a lot of citizenry. While they are perform that, what happens to this hebdomad ’ s release? What do the developers do while they wait?
What about Sauce Labs?
Pro tip: Tools like SUSA can handle this autonomously — upload your app and get results without writing a single test script.
Are Sauce Labs customers exposed to this issue? Simple answer, no. You can not use Sauce Labs without authenticate to our program, which removes the risk of a malicious worker getting access. In addition, our security experts have mechanisms in place to constantly monitor our infrastructure to detect and alert roughly suspicious action. After all, if we didn ’ t insure our system are secure, we wouldn ’ t have SOC2, Type II, ISO 27001, and ISO 27701 certifications.
If you know anyone running their own Selenium grid in-house, please pass this along to them so they can protect themselves.
If you & # x27; re thinking about building your own Selenium grid, please factor this into everyone ’ s workload. Not only will your grid admin need to spend clip weekly on updates, they will also hold to ensure all protection measure are in place and screen - occupy them away from the rest of their job.
More resources
Senior Product Marketing Manager
Topics
Share this post
Automate This With SUSA
Upload your APK or URL. SUSA explores like 10 real users — finds bugs, accessibility violations, and security issues. No scripts needed.
Try SUSA FreeTest Your App Autonomously
Upload your APK or URL. SUSA explores like 10 real users — finds bugs, accessibility violations, and security issues. No scripts.
Try SUSA Free

