21 February 2019
Facebook finds itself in the soup for CSRF bug and leaking user data to third-party app
A security researcher, who goes by the online name of ‘Samm0uda’ has discovered a critical cross-site request forgery (CSRF) vulnerability in Facebook. The flaw can allow attackers to take over Facebook accounts by simply tricking users into clicking on a specially-crafted link. It exists in the URL facebook.com/comet/dialog_DONOTUSE/. Apart from account takeover, the flaw could also enable the hackers to perform various other actions like “posting anything on their timeline, change or delete their profile picture, and even trick users into deleting their entire Facebook accounts. To exploit the flaw, the researcher said that two separate URLs are used, one to add the email or phone number and another to confirm it. Moreover, Cyber Security firm Nightwatch Security has discovered that a third-party Android application was storing Facebook user data in two unsecured places, a Firebase database, and an API server. Although the number of users affected by the data leak is unknown, researchers reported that the application had more than 1,000,000 downloads worldwide, at the time of the investigation. Explaining the impact of this security loophole, researchers explained that this could allow attackers to download the user data accumulated by the application and later use it for other nefarious activities.
New collection containing 127 million account credentials stolen from 8 companies put up for sale on Dark Web
Earlier this week, almost 620 million account credentials stolen from 16 companies were put for sale on the Dream Market site by a seller named ‘gnosticplayers’ who quoted roughly $20,000 in bitcoin. Dream Market is a Dark Web marketplace where criminals sell an assortment of illegal products, such as user data, drugs, weapons, malware, and more. The seller ‘gnosticplayers’ is back with the second collection of breached account credentials stolen from eight companies, quoting $14,500 in bitcoin for the collection. The data involved in the breach included full names, birthdays, registration dates, usernames, email addresses, passwords, password hash, crypted passwords, IP addresses, passport numbers, Facebook IDs, other social profiles and more.
Password Managers for Windows 10 found vulnerable to malware attacks
A critical flaw in four popular password managers for Windows 10 can enable hackers to steal your login credentials to the PC’s memory. This is possible when the password manager is installed and enabled on your system. The four password managers in question are 1Password, Dashlane, KeePass and LastPass. According to the researchers from Independent Security Evaluators (ISE), “these applications are a vulnerable target for the mass collection of data through malicious hacking campaigns.” The researchers assessed the underlying functionality of the four password managers and discovered that in some cases, the master password could be found in plaintext in the computer’s memory even when the password manager was locked. The researchers could extract the master password using standard memory forensics. Although the experiment was carried out on Windows apps, ISE research claims that the vulnerable password managers may also affect Apple Macs and mobile operating system.
Attackers target United Nations staff to steal their user credentials in a new phishing campaign
Researchers at Anomali Labs found that a phishing site masquerading as a login page for the United Nations Unite Identity was used to trick the victims. The UN Unite Identity is a single sign-on (SSO) application used by UN staff. When visitors attempt to login into the fraudulent page, their browser is redirected to a bogus invitation for a film viewing at the Poland Embassy in Pyongyang. The fake login page that bears a resemblance to the legitimate one has been found to be 'cloud[.]unite[.]un[.]org[.]docs-verify[.]com'. ‘Whois’, a domain that lookups for domain registrant information, found that the ‘verify[.]com was registered with Malaysian Registrar and Hosting provider Shinjiru Technology Sdn Bhd on August 1, 2018. The parent domain and the associated IP addresses that are a part of the campaign resolved to the Malaysia-based IP address 111.90.142[.]52 belonging to Shinjiru Technology Sdn Bhd - which is the host for 33 total domains.
Free decryption tool available for GandCrab ransomware version 5.1
A decryptor is available for users whose systems got infected with the latest GandCrab version v5.1. Bitdefender in collaboration with the Romanian Police, Europol, and other law enforcement agencies, has released a new decryptor for GandCrab ransomware version v5.1. This is the third decryption tool Bitdefender has released for GandCrab ransomware infection. In February 2018, Bitdefender released the first free decryptor tool which was used by almost 2,000 home users, companies and non-profits to retrieve their compromised data. Ten months later, Bitdefender released another decryptor for GandCrab versions 1, 4 and 5 up to v5.0.3.
mIRC’s security flaw allows cybercriminals to conduct remote attacks
mIRC, a well-known IRC chat application for Windows was discovered to have a serious security vulnerability that allows attackers to remotely execute arbitrary code. Security researchers Baptiste Devigne and Benjamin Chetioui identified this flaw when they were analyzing certain applications based on the Electron framework. Custom URIs used in these applications were found to lead to multiple vulnerabilities. According to the researchers, older versions of the application, prior to the latest 7.55, had three URI schemes 'irc:', 'ircs:', and 'mircurl:' that led to the flaw. These schemes were not sanitized properly, allowing other parameters to take over the schemes.