Breaches and leaks
- China: No less than 18 unsecured MongoDB instances were found, showing private conversations, file exchanges and location data of 364 million social media profiles.
- Google has temporarily disabled Android TV photo sharing after a bug gave a user access to a long list of other people's pictures.
- Verifications.io: an "email verification" service exposed a MongoDB database with a whopping 800 million e-mail addresses.
- Comcast: several people had their phone numbers transferred by identity thieves, whom apparently only needed the phone number and a PIN which defaulted to "0000".
If you're using Chrome, especially if you're on Windows 7, you'll want to restart the browser to pull in the latest update. There have been attacks seen where a vulnerability in Chrome, combined with Windows 7, can cause remote code execution simply by visiting a website.
It's been a long time coming, but now it's official. If you want a refresher on what WebAuthn means, I can recommend this article.
Chronicle is a part of Alphabet, Google's parent company. It launched what it loosely describes as "Google Photos but for network security", as in: you toss a heap of (network) data in it, and it will structure, tag and analyse it, after which you can query it for things like "Are any of my computers sending data to Russia?".
I don't know the first thing about proper reverse engineering, but it's a cool move and got a lot of people excited. This Hackernews thread has some nice discussions on it. If you want to see what a tool like this looks like, check the"Getting Started" video from the 4-minute mark onwards.
The 19-year old Santiago has reported over 1600 security flaws so far, and made a very nice living out of it. He started when he was 16 and was inspired by the movie Hackers :-)
An interesting post on how various phone support desks try to authenticate you. If your company runs a contact center like this it's worth getting it right.
This is a fun one. Cobalt Strike is a platform to help Red Teams and pentesters attack their targets. But, naturally, it's also (ab)used by malicious parties. Until recently there was a bug where Cobalt Strike would append a whitespace character at the end of each HTTP response. By crawling for this whitespace they were able to put together a list of malicious Cobalt Strike platforms on the web.
An interesting post on the difficulties of pentesting single-page applications, and a proof of concept browser extension called SPAudit that tries to solve these issues.
This seems like a useful tool. It runs locally on Windows and shows all vulnerabilities your system might be subject to, with exploits when available.
In the same trend as last week's item, and by the same writer, this is a clean, minimal way of staying up to date on React.