SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS Stormcast Wednesday, April 29th, 2026: Odd Vercel Header Usage; GitHub Vuln Patches; MSFT RDP Notification Bug

5 min

•Apr 29, 2026about 1 month ago

Summary

This episode covers three cybersecurity topics: unusual Vercel bypass header usage detected in honeypots that may indicate cookie exfiltration attempts, a critical OS command injection vulnerability in GitHub's on-premises solution that was patched within hours, and a Microsoft RDP file warning display bug affecting systems with different display scaling.

Insights

Attackers are exploiting legitimate security bypass mechanisms (Vercel headers) in unconventional ways, suggesting they may be targeting cookie handling or authentication mechanisms
GitHub's vulnerability demonstrates the inherent risks of allowing users to execute system commands through proxies without complete input sanitization
Security improvements can introduce usability issues (garbled warnings) that may actually reduce their effectiveness by making critical warnings harder to read
Rapid vulnerability disclosure and patching (GitHub fixed within hours) is becoming the industry standard for critical issues

Trends

Attackers increasingly targeting application-level bypass mechanisms designed for legitimate testing purposesCookie-based attacks and exfiltration techniques evolving to exploit SameSite attribute configurationsOpen proxy servers being used as attack infrastructure for distributing malicious requestsDisplay scaling and multi-monitor setups creating security UX vulnerabilities in OS-level dialogsOn-premises software solutions requiring faster patch cycles to match cloud-native security response times

Topics

Vercel security bypass header exploitation Cookie exfiltration attacks GitHub on-premises OS command injection vulnerability Git command proxy filtering and input sanitization RDP file phishing attacks Microsoft security warning UI rendering bugs Display scaling security implications Open proxy server abuse SameSite cookie attribute exploitation Honeypot threat detection Vulnerability disclosure and patching speed

Companies

Vercel

Unusual bypass header usage detected in honeypots; attackers exploiting Vercel's rate-limiting bypass feature

GitHub

Critical OS command injection vulnerability in on-premises version patched within hours; vulnerability in Git pull co...

Microsoft

RDP file security warning improvements introduced display rendering bug affecting multi-monitor setups with different...

Wiz Research

Security research firm that discovered and published details about the GitHub vulnerability

People

Johannes Ulrich

Host of Stormcast podcast, recording from Jacksonville, Florida on April 29, 2026

Quotes

"this header is used so that the first time you send a request you will set the bypass value and then the server is responding with a set cookie header to essentially set a cookie"

Johannes Ulrich

"The fundamental problem that GitHub has is that it allows users to execute Git commands. And well, Git commands are operating system commands"

Johannes Ulrich

"they run it through a proxy. They call it bobble-d. And this proxy is supposed to clean up some of the bad characters, essentially, like semicolons and such, but didn't do so correctly in this case"

Johannes Ulrich

"Luckily well WIS reported it and GitHub did verify and then fix it almost within hours"

Johannes Ulrich

Full Transcript

Hello and welcome to the Wednesday, April 29, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu graduate certificate program in incident response. well diaries today is a quick write-up i did on some requests we're seeing in our honeypots that use a little bit unusual header the xvercell set bypass cookie header now this header is related to the bypass value that you can define as a user of vercell that will essentially bypass some of the protection mechanisms like for example rate limiting now this is not an unusual feature for any kind of application firewall or such where in particular for developer purposes you have the ability to essentially bypass at least some of the protection mechanisms the value you would have to pass with the versell set bypass header well is random and it's something that the user can define And that does not appear to be really the use here because they using the express l set bypass cookie header so with the additional cookie hat add and that where it gets a little bit interesting so this header is used so that the first time you send a request you will set the bypass value and then the server is responding with a set cookie header to essentially set a cookie and that's in particular useful for browsers that are being used here for testing because then the browser will automatically send the cookie and with that sort of retain the bypass feature here the value they're sending here is same site none secure which is not documented but there are similar parameters particular same site none where you sort of specify that a cookie comes back with the none value for the same site attribute. Not 100% sure what they're after here. Could be that they're hoping that some cookies may leak the value that is defined for this header. I don't have access to a Vercel setup here myself to sort of test this and see how this would be working. If anybody has any more insight, would be interested in hearing what the attacker may be accomplishing here. Also these requests are being sent via open proxy servers And Wiz Research published a blog post with details about a vulnerability in GitHub that they found. Now, if you're a user of GitHub and you're just using GitHub's cloud solution, you're perfectly fine. If you happen to use the on-prem option for GitHub, well, then, of course, you need to patch. The vulnerability is kind of interesting and it's nice of ways to sort of dive a little bit into what exactly happened here. The fundamental problem that GitHub has is that it allows users to execute Git commands. And well, Git commands are operating system commands and they have a number of options that can be passed to the command. In this particular case, it was the Git pull command that actually caused the problem. Now, the way GitHub deals sort of some of the problems arising from allowing users to run Git commands is that they run it through a proxy. They call it bobble-d. And this proxy is supposed to clean up some of the bad characters, essentially, like semicolons and such, but didn't do so correctly in this case, which then led essentially to an OS command injection vulnerability that could be used to execute code on GitHub's servers. Luckily well WIS reported it and GitHub did verify and then fix it almost within hours So very quick response here from GitHub And as far as they saying the vulnerability had not been exploited at the time So no user data was lost. And one of the security improvements that I highlighted in this month's Microsoft Patch Tuesday updates was the addition of more elaborate warnings if you're adding an RDP file and if you're trying to then open the file. This has been off news for phishing and that's sort of why Microsoft sort of improved the user interaction here. Well, they now published an update or an issue about this particular update that basically indicates these security warnings may sometimes show up a little bit garbled. this happens if you sort of have different displays with different display scaling i guess it doesn't get the font size quite right and as a result some of the text may overlap just making it more difficult to read well and that's it for today thanks for liking thanks for subscribing and thanks for recommending this podcast to others and talk to you again tomorrow bye Thank you.