Issue 104

Breaches and leaks

It's been a busy week :-/

  • Voxox: SMS provider, had a database with tens of millions of text messages publicly accessible, with a handy Elasticsearch/Kibana interface for easy search. New text messages streamed in real-time, including juicy stuff like 2fa codes.
  • US Postal Service: an API used for tracking information had no proper access control, letting anyone search postal details of over 60 million users.
  • Vision Direct: a contact lens vendor, had full credit card details of 16.300 customers stolen, including CVV codes. They were read from the checkout page through a malicious script.
  • High Tail Hall: adult video game website, had personal data of over 400.000 subscribers stolen.
  • Instagram: passwords were leaked in plain text when you used the "download your data" tool.
  • Make-A-Wish Foundation: a cryptojacking script was installed on their website, which was still vulnerable to the Drupalgeddon2 exploit.
  • Hospital in Texas: had a ransomware infection impacting 40.000 individuals, although they don't think any data was actually leaked. Data was restored from backups.

Spectre, Meltdown researchers unveil 7 more speculative execution attacks

We haven't seen the end of those yet. The article gives a technical but very good overview of Meltdown and Spectre-type attacks.

Vulnerability in AMP for WP Plugin allows admin access

Even if you just have commenting rights, you can escalate yourself to site admin. Make sure you have the latest version if you use this plugin, because there are already attacks underway.

AI-generated ‘skeleton keys’ fool fingerprint scanners

Researchers were able to generate a set of "master fingerprints" that were able to fool fingerprint scanners one out of five times.

New security feature to prevent Amazon S3 bucket misconfiguration and data leaks

The new feature allows Administrators to block/regulate public access on an account level, instead of only on s3 bucket level.

Popular children's smartwatch lets hackers access your child’s location

The MiSafe smartwatches, usually purchased by parents to keep track of their children, are so poorly secured that you should probably feel safer without them.

Adobe Flash has another critical security vulnerability

If you somehow still use Flash (I am so, so sorry), you better update fast. The details of this exploit are publicly known, so they expect to see attacks in the wild soon.

MageCart groups are sabotaging each other

Interesting to see that the so-called MageCart groups, i.e. the people skimming credit card details of hundreds of websites so far, are "at war" with each other. When one malicious script detects another, they fill in fake information that ruins their credit card data, meant to damage their online reputation to their buyers.

Mirai: not just for IoT anymore

I found it interesting to see that the Mirai botnet code is now being adjusted to target regular servers too, instead of just IoT devices. Potentially making for even more DDoS powwah.

The passwordless web explained

By far the best no-nonsense, easy to read explanation of the "passwordless future" that I've seen, helping me to finally make sense of FIDO2, WebAuthn and CTAP.

The story of a failed pentest

A great story, taken from a Twitter thread, on how a pentester was mostly unsuccessful because of how well the target company's security was. Nice example for those of us on the defensive side to see what we need to get right.


Breachroom: curated list of breaches and attacks

Breachroom is a concept by Templarbit, an application security provider, where they maintain an overview of recent breaches and cyber attacks.

1Password for Teams and Business

I use 1Password to securely share passwords and notes with my colleagues. Can't recommend them enough and I'm super honoured to have them as a sponsor.