Breaches and leaks
It's quite a long list this week I'm afraid :-/
- T-Mobile blocked an attack in progress that was exfiltrating personal data of their customers through a leaky API. Personal information on about 2.3 million people got out.
- Cheddar's Scratch Kitchen: the fastfood chain had its previous POS system breached. The information of an estimated 567.000 credit cards was stolen.
- Huazhu Hotels: a Chinese hotel chain. Personal information of an estimated 130 million customers is up for sale on a Dark Web forum.
- Atlas Quantum: a Brazilian crypto exchange. The information on 264.000 users was exposed.
- Abbyy: an OCR software provider, with big customers like PwC and Volkswagen. They had an unsecured MongoDB instance online with 142GB of document information.
- Air Canada had 20.000 user accounts breached, exposing personal information.
- Eir: an Irish telecom operator. An encrypted laptop was stolen, holding personal information on 37.000 customers. This is an easy fix people, make sure this doesn't happen where you work.
- Spyfone: a company that sells spywhere to parents and employers :/ They left an s3 bucket unsecured with all spied data like pictures, text messages and more.
- TheTruthSpy: another creepy spyware/stalking app. They had a vulnerability that gave access to usernames and plaintext passwords, granting the attacker full access to everyone's account.
It allows for remote code execution of all Struts web applications, and is deemed "more critical than the Equifax bug". If you're running Struts 2, update fast, because active exploitation is already happening.
It's not horrible, but an important thing to patch nonetheless. The vulnerability allows for username enumeration because it gives back a different response to a failed authentication request, depending on whether the username exists or not. Considering that it greatly helps brute forcing attacks, it's worth patching.
The vulnerability allows for local privilege escalation. There's a third-party micropatch available, but no official patch yet.
The flaw allows for remote code execution through Photoshop Creative Cloud, on both Windows and Mac. Patch it if you use it.
Currently only for people in the US though. And it's also currently sold out, but there's a waiting list.
The malware steals credit card information, and is growing at the rate of 50-60 new Magento stores per day.
Bit of security drama between Fortnite and Google that got attention this week. A combination of the fact that Fortnite recently decided to no longer use the Play Store, opting for a less secure side-install. And that Google discovered a man-in-the-disk security vulnerability with them and disclosed it too soon, according to Fortnite.
Clever little hack. Get someone to visit your site. When they press the back button, bring them to a page that looks like Google search results but isn't. Let them navigate to fake versions of your competitors, and see what they do, capture credentials, etc. Hackernews discussion here.
Interesting bit of research on how one can look for recently abandoned domains (for example: domains of failed businesses), and use them to regain access to Gsuite, social media accounts and the likes.
Nice simple write-up of how a researcher got into a Facebook server and received a $5000 bounty.
Interesting list of tools to audit and improve Docker security.