29 March 2019
Facebook admits to storing hundreds of millions of user passwords in plain text
Facebook disclosed another major privacy revelation in its platforms. In an official blog post, Pedro Canahuati, VP Engineering - Security and Privacy at Facebook told that millions of user passwords were being stored in readable formats. This shocking admission comes days after the social media company’s Messenger application was exposed to a user data-revealing security flaw. Facebook revealed that millions of passwords of Facebook Lite and Facebook app users were stored in plain text. Passwords of a significant number of Instagram app users were also stored in the same way. The company blog also mentions that other information such as access tokens had problems that were resolved later. In the revelation, Facebook mentioned that it has implemented security measures to store passwords from then on. As of now, Facebook has said that no security incidents have occurred due to this issue. Canahuati explained that those ‘readable’ passwords were obscured for outsiders. “To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” he wrote in the company statement. The company said that it has boosted security measures for protecting all accounts on the platform. Furthermore, it has advised users to enable security keys or 2FA to secure their account from external attacks.
Medical devices by Medtronic found to have two nasty security bugs
Dublin-based medical device maker Medtronic was found having serious security flaws in its devices. According to a security advisory published by the Department of Homeland Security (DHS), 20 products made by Medtronic had vulnerabilities that could have compromised the functionality and have sensitive data scooped off by attackers. It was observed that these flaws resulted due to a faulty telemetry protocol present in these devices. 20 Medtronic devices having the Conexus telemetry protocol was vulnerable with two security flaws. Devices included cardiac implants, defibrillators and monitoring systems. The flaws are designated as CVE-2019-6538 (Improper Access Control CWE-284) and CVE-2019-6540 (Cleartext Transmission of Sensitive Information CWE-319). The first vulnerability indicates that that the Conexus telemetry protocol lacked authentication, which could have allowed attackers to meddle with the telemetry communication and change memory on devices such as cardiac implants. The second vulnerability indicates that communication in Conexus did not have encryption. Attackers could intercept radio communication and capture sensitive data. Both vulnerabilities could have crippled the core functionality of all these devices. According to an article by StarTribune, it is estimated that around 750,000 defibrillators were affected by the two vulnerabilities. Despite these flaws being rated high (CVE-2019-6538 has a CVSS score of 9.3), doctors and experts believe that the chances of attacks on these devices are low.
Faulty security software could have jeopardized RBS customers
Royal Bank of Scotland (RBS) customers could have been a victim to a massive cyber-attack thanks to a flawed security product. According to BBC News, the bank had offered its customers a product known as Thor Foresight Enterprise to protect them from cyber attacks. Thor Foresight Enterprise is an endpoint security platform created by Danish security firm Heimdal Security. As of now, the faulty software has been patched. Thor Foresight Enterprise was offered to RBS banking customers since January this year. As stated by Heimdal Security, around 50,000 customers were found using this security product. The unnamed flaw could have permitted attackers to access computers and then have complete control of the device. In addition, they could snoop into the victim’s email, internet history, and bank details. The firm immediately fixed the issue after security researchers disclosed the flaw. Morten Kjaersgaard, CEO of Heimdal Security mentioned that the issue was remediated in a week in Thor-installed systems. “We naturally treat information like this very seriously. We issued a fix and automatically updated 97% of all affected endpoints within four days of being informed, and the rest shortly after,” he told BBC News. On the other hand, the RBS group tells that only its Natwest customers were affected by the issue as the software was not provided to customers of its subsidiaries such as Ulster Bank and others.
Unprotected MongoDB database leaks real-time locations of over 238,000 ‘Family Locator’ app users
A popular family tracking app, Family Locator, was found leaking the real-time locations of more than 238,000 users for weeks after a server was left exposed without a password. According to Sanyam Jain, a security researcher and member of GDI foundation, the unprotected server was running a MongoDB database that stored the real-time location and other significant details of users. This allowed families to track the locations of other family members. The app also enabled users to set up geofenced alerts to send a notification when a family member enters or leaves a location. Any user who had a geofence set up had coordinates stored in the database such as ‘home’ or ‘work’. Based on the investigation, it has been found that the misconfigured MongoDB database contained account records of each user. Each account included a user’s name, email address, profile photo, and plaintext passwords. None of this data was encrypted. What has been done till now: Upon learning about the incident, TechCrunch tried contacting React Apps to inform the developers about the issue. However, there was no response from the company. On March 22, 2019, Microsoft, which hosted the database on its Azure cloud, was asked to take immediate actions. The unsecured database is no more available on the internet.
Video streaming site Kanopy leaks API and website access logs
A publicly accessible database exposed viewing habits of the users of the streaming site Kanopy. According to security researcher Justin Paine, the site’s Elasticsearch database had no authentication, leaving user logs out in the open. It is believed that the database might have been left exposed since the beginning of this month. As of now, Kanopy has remediated the issue after it was informed by the researcher. The site’s authentication-less database reportedly slipped out API & website access logs in large numbers. According to Paine, it was leaking around 26-40 million log lines every day since March 7th. Website access logs included data such as user location, TLS version used, client IP and many more. API logs also had similar information but were referring to specific public libraries and academic institutions. All of the openly available logs could have been used to find out identities of Kanopy users, Paine explained in his blog. “Based on the client IP a bad actor (via the API logs or the web server logs) could have identified all videos searched for and/or watched by their client IP. In combination with the geo information, timestamp, and device type it likely would have been possible to identify the identity of a person behind that client IP (in the case of a static IP from their ISP),” Paine wrote. After Paine contacted Kanopy, the Elasticsearch database was taken offline on March 18. In addition, the company fixed the security issues in the server on which the database was hosted.
Misconfigured spyware database exposes over 95K images and audio recordings
An unnamed spyware app has exposed around 16 GB of images and 3.7 GB of MP3 recordings due to a misconfigured database. The leaky database contained over 95,000 images and more than 25,000 audio recordings. A security researcher Cian Heasley revealed that an unprotected online storage server has leaked a trove of sensitive and personal images and audio recordings on the internet. According to Motherboard, the unprotected database was discovered earlier this year. Since then, it has been online for at least six weeks. Apart from the previous photos and recordings, the leaky database is also exposing the latest pictures and audio recordings that are being uploaded every day. The number of users affected in the data leak is still unknown. Heasley told Motherboard that the source code of the app contained the URL of the leaky database, which is relatively easy to guess. Heasley has informed the company following the discovery of the issue. In addition, GoDaddy, the domain registrar for the company’s site has also been notified about the matter. This is not the first time that a spyware company has been identified for leaking sensitive data. In the past two years, 12 different spyware vendors were spotted exposing victims’ personal images and other details. This includes Retina-X (twice), FlexiSpy, Mobislealth, Spy Master Pro, SpyHuman, Spyfone, TheTruthSpy, Family Orbit, mSpy, Copy9 and Xnore.
LTE protocol found containing 51 security flaws, of which 36 are new
In the latest research, a group of academics from South Korea have discovered a total of 51 vulnerabilities in the Long-Term Evolution (LTE) protocol. The protocol is used by numerous mobile networks and hundreds of thousands of mobile users across the world. A research team from the Korean Advanced Institute of Science and Technology Constitution (KAIST) has revealed that there are 51 security flaws in the LTE standards. Of these, 36 have been identified as new vulnerabilities. The vulnerabilities can allow attackers to perform a range of malicious activities that include disrupting mobile base stations, blocking incoming calls, disconnecting users from a mobile network, sending spoofed SMS messages and eavesdropping and manipulating user data traffic. Some of these vulnerabilities are not new and have been identified over the past years - July 2018, June 2018, March 2018, June 2017, July 2016 and October 2015. According to the KAIST paper, these vulnerabilities have been discovered using a semi-automated testing tool named LTEFuzz. The tool, working on Fuzzing technique, was used to craft malicious connections to a mobile network and then analyze the network’s response. These vulnerabilities are believed to be a driving force in the ongoing research to create a new and improved 5G standard. Following the discovery of vulnerabilities, KAIST researchers have notified both 3GPP (industry body behind LTE standard) and GSMA (industry body that represents mobile operators). Additionally, the affected baseband chipset vendors and network equipment vendors have also been informed about the issue. Researchers noted that the flaw not only exists in the protocol but also resides in how some vendors have implemented LTE in their devices.
Google patches ‘evil cursor’ bug in Chrome exploited by tech support scammers
Google has patched a bug in Chrome dubbed ‘evil cursor’ that was exploited by the tech support scammers to create an artificial mouse cursor and lock users inside browsers. A security researcher from Malwarebytes, Jerome Segura, who detected this ‘evil cursor’ bug noted that the tech support scammers relied on custom images to replace the system’s standard mouse cursor. According to Segura, a threat group named ‘Partnerstroka’ exploited this bug by replacing the standard mouse cursor (OS 32-by-32 pixels) with 128 or 256 pixels in size. Even after replacing the standard mouse cursor, it would still appear on the screen, but in the corner of a transparent bounding box. This would trick users into clicking on the area the cursor appears. However, the cursor would click on another area of the screen, preventing users from closing or leaving browser tabs. The security researcher reported this bug to Google last year. However, it took longer for Google to patch this bug. Browsers support custom mouse cursor images for web games, therefore, disabling custom images would impact thousands of gaming sites. Since it is complex to patch the bug without impacting the existing sites, Google developers tested this bug for months and have now come up with a patch. The fix to this bug in Chrome will automatically revert the cursor back to the standard OS graphics when hovering over parts of the Chrome browser interface thereby preventing users from getting locked in browser pages. The fix to this ‘evil cursor’ bug is currently live for Google Canary users and is scheduled for the Chrome 75 stable branch soon.
More than 100,000 GitHub repos exposed API tokens and cryptographic keys
A research study by academics of North Carolina State University (NCSU) has shown that certain GitHub repos were leaking API tokens and cryptographic keys. The study analyzed more than a billion GitHub files which were spread across millions of repositories. The three-member team in the study specifically looked into text strings containing API tokens or cryptographic keys present in different formats. The researchers analyzed text strings across 15 different API token formats and four cryptography key formats. The API token formats considered came from 15 services belonging to 11 companies. Google, Amazon, and Twitter, were some of the popular companies that used these formats. The NCSU team scanned GitHub files between October 31, 2017, and April 20, 2018. They used the GitHub Search API for the study as well as investigated the BigQuery database. A total of 575,456 API and cryptographic keys were found spread across more than a hundred thousand repos. 93 percent of these files came from a single-owner account. The researchers mentioned that there were minor overlaps between scanned GitHub files and those found from BigQuery. On top of finding API tokens and cryptography keys, the NCSU team also found over 7000 RSA keys inside OpenVPN config files. Their analysis showed that most users turned off password authentication and relied on these RSA keys for authorization. This can lead to the possibility of attackers using these keys to infiltrate thousands of private networks.