Issue 92

Breaches and leaks

It's quite a long list this week I'm afraid :-/

  • T-Mobile blocked an attack in progress that was exfiltrating personal data of their customers through a leaky API. Personal information on about 2.3 million people got out.
  • Cheddar's Scratch Kitchen: the fastfood chain had its previous POS system breached. The information of an estimated 567.000 credit cards was stolen.
  • Huazhu Hotels: a Chinese hotel chain. Personal information of an estimated 130 million customers is up for sale on a Dark Web forum.
  • Atlas Quantum: a Brazilian crypto exchange. The information on 264.000 users was exposed.
  • Abbyy: an OCR software provider, with big customers like PwC and Volkswagen. They had an unsecured MongoDB instance online with 142GB of document information.
  • Air Canada had 20.000 user accounts breached, exposing personal information.
  • Eir: an Irish telecom operator. An encrypted laptop was stolen, holding personal information on 37.000 customers. This is an easy fix people, make sure this doesn't happen where you work.
  • Spyfone: a company that sells spywhere to parents and employers :/ They left an s3 bucket unsecured with all spied data like pictures, text messages and more.
  • TheTruthSpy: another creepy spyware/stalking app. They had a vulnerability that gave access to usernames and plaintext passwords, granting the attacker full access to everyone's account.

New Apache Struts 2 flaw discovered

It allows for remote code execution of all Struts web applications, and is deemed "more critical than the Equifax bug". If you're running Struts 2, update fast, because active exploitation is already happening.

Vulnerability affects all OpenSSH versions

It's not horrible, but an important thing to patch nonetheless. The vulnerability allows for username enumeration because it gives back a different response to a failed authentication request, depending on whether the username exists or not. Considering that it greatly helps brute forcing attacks, it's worth patching.

Zero-day in Windows Task Scheduler published on Twitter

The vulnerability allows for local privilege escalation. There's a third-party micropatch available, but no official patch yet.

Adobe issues unexpected critical fix for Photoshop CC

The flaw allows for remote code execution through Photoshop Creative Cloud, on both Windows and Mac. Patch it if you use it.

Google's FIDO based Titan security key now available for $50 USD

Currently only for people in the US though. And it's also currently sold out, but there's a waiting list.

MagentoCore malware found on 7,339 Magento stores

The malware steals credit card information, and is growing at the rate of 50-60 new Magento stores per day.

Fortnite fury over how Google handled its man-in-the-disk security hole

Bit of security drama between Fortnite and Google that got attention this week. A combination of the fact that Fortnite recently decided to no longer use the Play Store, opting for a less secure side-install. And that Google discovered a man-in-the-disk security vulnerability with them and disclosed it too soon, according to Fortnite.

How I recorded user behaviour on my competitor's websites

Clever little hack. Get someone to visit your site. When they press the back button, bring them to a page that looks like Google search results but isn't. Let them navigate to fake versions of your competitors, and see what they do, capture credentials, etc. Hackernews discussion here.

Abandoned domains and their potential for fraud

Interesting bit of research on how one can look for recently abandoned domains (for example: domains of failed businesses), and use them to regain access to Gsuite, social media accounts and the likes.

Remote code execution on a Facebook server

Nice simple write-up of how a researcher got into a Facebook server and received a $5000 bounty.

10+ top open-source tools for Docker security

Interesting list of tools to audit and improve Docker security.


A comprehensive guide to application-level denial of service

The availability of web applications is critical nowadays, more than ever. But it's also at risk because of very complex application-level denial of service attacks. Read this guide that highlights the different DoS techniques used so you know what to look for.

1Password for Teams and Business

I use 1Password to securely share passwords and notes with my colleagues. Can't recommend them enough and I'm super honoured to have them as a sponsor.