Security news

Facebook pays $25,000 to security researcher for discovering CSRF exploit that leads to stealing accounts

A security researcher discovered a fatal cross-site request forgery (CSRF) vulnerability that would allow hackers to takeover Facebook accounts by simply forcing the victim to click on the malicious link.

The cybersecurity expert who goes by the pseudonym “Samm0uda” discovered a vulnerability after noticing an exposed endpoint (facebook.com/comet/dialog_DONOTUSE/), which could be exploited to bypass the CSRF protections and perform various actions on behalf of the victim.

“This is possible because of a vulnerable endpoint which takes another given Facebook endpoint selected by the attacker along with the parameters and makes a POST request to that endpoint after adding the fb_dtsg parameter. Also this endpoint is located under the main domain www.facebook.com which makes it easier for the attacker to trick his victims to visit the URL,” the researcher says on his blog.

“The vulnerable endpoint is:
https://www.facebook.com/comet/dialog_DONOTUSE/?url=XXXX where XXXX is the endpoint with parameters where the POST request is going to be made (the CSRF token fb_dtsg is added automatically to the request body).”

The researcher discovered that through the bug it was not only possible to post on the timeline of targeted Facebook users’ accounts, but also delete their profile images and trick them into deleting their accounts. In the latter case, for a successful attack, the attacker will need to force the user to enter his password.

The flaw could have also been exploited to take control of an account using requests that would change the email address or mobile number related to the victim’s account. If an attacker is successful in adding his email address or phone number, he can use the password reset function to set a new password and block the original owner from accessing the account.

This would require some effort on the part of the attacker to exploit the vulnerability, as he will need to force the user to follow two separate links – one to add the email or phone number and another one to confirm it. However, the expert was able to create a single URL link that allowed him to obtain the access token of the victims.

Samm0uda informed about his findings to Facebook on January 26, 2019. The social media giant acknowledged the issue and fixed the problem on January 31, 2019. Facebook awarded a $25,000 bounty to the researcher as part of the company’s bug bounty program.

You can read more about Samm0uda’s findings here.

Eight Malicious Crypto-Mining Apps Removed From Microsoft’s Windows App Store

Microsoft has removed eight applications from its Windows App Store that were mining Monero crypto-currency without the knowledge of users.

The illicit eight crypto-jacking Windows 10 applications were discovered by the cybersecurity company, Symantec in the month of January this year. Apparently, these apps were published in the Microsoft Store between April and December 2018, but many of them were published only towards the end of the year.

“On January 17, we discovered several potentially unwanted applications (PUAs) on the Microsoft Store that surreptitiously use the victim’s CPU power to mine cryptocurrency. We reported these apps to Microsoft and they subsequently removed them from their store,” Symantec said in a blog post.  

For those unfamiliar, crypto-jacking, also often referred to as drive-by mining, is the process whereby hackers and websites host sections of code that have the ability to secretly siphon off your computer processing unit’s (CPU) power towards mining cryptocurrency for the offenders to make money from.

According to Symantec, all eight apps are likely developed by the same person or group. “The apps – which included those for computer and battery optimization tutorials, internet search, web browsers, and video viewing and download – came from three developers: DigiDream, 1clean, and Findoo. In total, we discovered eight apps from these developers that shared the same risky behavior. After further investigation, we believe that all these apps were likely developed by the same person or group,” Symantec added.

All the malicious apps that ran on Windows 10, including Windows 10 S Mode were Progressive Web Apps (PWAs). These are web applications that load like regular web pages or websites but can offer user functionality such as working offline, push notifications, and device hardware access traditionally available only to native applications. PWAs combine the flexibility of the web with the experience of a native application.

Ironically, Microsoft’s Windows 10 S Mode is the most secure Windows 10 version, as it restricts app downloads to the Microsoft Store.

“As soon as the apps are downloaded and launched, they fetch a coin-mining JavaScript library by triggering Google Tag Manager (GTM) in their domain servers. The mining script then gets activated and begins using the majority of the computer’s CPU cycles to mine Monero for the operators. Although these apps appear to provide privacy policies, there is no mention of coin mining on their descriptions on the app store.” Symantec said.

The eight crypto jacking apps were published in the Store by three developers, “DigiDream”, “1clean”, and “Findoo”. These apps are Fast-search Lite, Battery Optimizer (Tutorials), VPN Browser+, Downloader for YouTube Videos, Clean Master+ (Tutorials), FastTube, Findoo Browser 2019, Findoo Mobile & Desktop Search.

All the eight apps collectively boasted over 1,900 reviews. However, since the app ratings can be fraudulently inflated, it is currently unclear how many of these app ratings and downloads are legal.

If you have installed any of the above-mentioned apps, it is suggested that you uninstall them as soon as possible. It is recommended that you keep your software up to date and avoid downloading apps from unfamiliar sites. Only install apps from trusted sources. Also, closely monitor CPU and memory usage of your computer or device.

Source: Symantec

Hackers, Thieves, and Repair Shops Access iCloud-Locked iPhones, Here’s How

Hackers, thieves, and repair shops have discovered a new way to bypass the ‘Find My iPhone’ feature on iCloud-locked iPhones so that they can sell stolen or non-stolen devices, according to a report from Motherboard.

For those unaware, “Find my iPhone” is an app and service from Apple, which lets you locate, lock down or wipe your lost iPhone, iPad, iPod, or Macbook and requires a password to continue. Apple had introduced this feature in 2013 to safeguard people’s information stored on their iPhones.

In order to keep iPhones secure and make it less valuable targets to would-be thieves, iPhones can be associated only to one iCloud account at a time. This means that the hackers and thieves need to figure a way out to remove the iCloud account from the iPhone in order to sell the stolen device to someone else or for someone new to use it. The iCloud account can only be removed by entering the Apple ID password.

“The iCloud security feature has likely cut down on the number of iPhones that have been stolen, but enterprising criminals have found ways to remove iCloud in order to resell devices. To do this, they phish the phone’s original owners, or scam employees at Apple Stores, which have the ability to override iCloud locks. Thieves, coders, and hackers participate in an underground industry designed to remove a user’s iCloud account from a phone so that they can then be resold,” according to Motherboard.

In order to get into iCloud-locked iPhones, thieves are now producing fake receipts and invoices to fool Apple into believing that they are the actual owners of the phone. While the tricks include social engineering at Apple Stores, there are also “custom phishing kits for sale online designed to steal iCloud passwords from a phone’s original owner,” mentions Motherboard.

Additionally, a few hackers also reprogram stolen iPhones with a new IMEI. Besides this, there are also forums for the hacker community where they share new methods and tips to break into locked iPhones.

Even some unnamed repair companies have become actual customers of companies that illegally reset and reactivate the iCloud-locked iPhone.

“There are many listings on eBay, Craigslist, and wholesale sites for phones billed as ‘iCloud-locked,’ or ‘for parts’ or something similar,” added Motherboard. “While some of these phones are almost certainly stolen, many of them are not. According to three professionals in the independent repair and iPhone refurbishing businesses, used iPhones — including some iCloud-locked devices — are sold in bulk at private ‘carrier auctions’ where companies like T-Mobile, Verizon, Sprint, AT&T, and cell phone insurance providers sell their excess inventory (often through third-party processing companies.)”

Basically, in the event your iPhone is stolen or lost, ensure that you change the password of your iCloud account immediately. Further, beware of phishing scams and carefully check the addresses or URLs of the websites you visit, especially login pages. It is recommended to keep a unique password not only for your iCloud account but also for every other online account. Also, ensure that you have enabled two-step authentication on your iCloud account.

A 13-year-old boy jokingly tells Siri he wants to shoot up a school, gets arrested

A shooting joke went wrong for a 13-year-old Indiana teenager when he told Apple’s AI assistant, Siri that he was planning a school shooting.

For those unaware, Apple’s Siri is a voice-activated virtual assistant that uses voice queries to answer questions, make recommendations, and perform actions by delegating requests to a set of Internet services.

The Chesterton Middle School student is believed to have told Siri: “I am going to shoot up a school”. To which, Siri replied by listing the names of multiple schools in the vicinity, according to police investigating the case. He allegedly posted a screenshot of the response on his social media account as an apparent joke. However, the contacts of the school kid took the joke seriously and informed the Chesterton police about the incident, who then contacted authorities in Valparaiso, Indiana.

“The male made no direct threat to a specific person, school, or school system. It has since been discovered the male has no access to weapons and posted the picture on social media as a joke. The threat is not believed to be credible at this time; however, these types of communications are taken very seriously by the Valparaiso Police Department and our community. We continue to work with the Valparaiso Community Schools to ensure the safety of the students and staff,” the Valparaiso Police was quoted as saying.

The Indiana teenager has been charged with intimidation and is being held at the Porter County Juvenile Detention Center in Indiana’s Valparaiso. The Valparaiso Police believe that the teenager had no access to weapons. The incident is being investigated by the Valparaiso and Chesterton Police Departments.

Apple restores Google’s revoked enterprise certificate within hours

Earlier this week, Apple had revoked Facebook’s Enterprise Certificate for violating terms of its developer agreement by having an app on its App Store that extensively collected user’s data. It is now learned that Google too had a similar app that monitored users’ data and traffic usage on iPhones, according to TechCrunch.

Launched in 2012, Google’s data collecting app called Screenwise Meter allows users to earn gift cards, such as a $5 credit on Amazon, “for sideloading an Enterprise Certificate-based VPN app that allows Google to monitor and analyze their traffic and data.” It invites users aged 18 and above (or 13 and above in a family group) to participate in Google’s Opinion Rewards program.

Similar to the Facebook Research app that offers up to $20 per month to users to sideload a VPN app on iOS, the VPN app installed by Screenwise Meter also used an Enterprise Certificate. This certificate indicates that an app is only meant for distributing internally to employees, and not to the public.

Following the revelation, Google decided to shut down the Screenwise Meter iOS app. However, before Google could do so, Apple blocked the search giant from running its internal iOS apps.

Apologizing for using its iOS Enterprise Certificate, Google told TechCrunch that “The Screenwise Meter iOS app should not have operated under Apple’s developer enterprise program — this was a mistake, and we apologize. We have disabled this app on iOS devices. This app is completely voluntary and always has been. We’ve been upfront with users about the way we use their data in this app, we have no access to encrypted data in apps and on devices, and users can opt out of the program at any time.”

The revoking of Enterprise Certificates by Apple created problems for both Facebook and Google, as it could no longer run or execute internal apps on iOS devices, as it all depended on the enterprise program, which enables the distribution of internal apps within a company.

However, the Cupertino giant restored Facebook’s Enterprise Certificate on Thursday after revoking it on Wednesday. “We have had our Enterprise Certification, which enables our internal employee applications, restored,” a company spokesperson said in an email to The Register. “We are in the process of getting our internal apps up and running. To be clear, this didn’t have an impact on our consumer-facing services.”

Apple late Thursday restored functionality to Google’s apps within five hours of revoking its Enterprise Certificate.

DailyMotion is a popular video sharing platform that is used by millions of users. Recently, DailyMotion confirmed that it was the victim of a credential stuffing attack.

So here’s everything you need to know about the credential stuffing attack on DailyMotion.

ALSO READ: YouTuber Fits A Fully Functional Computer Into A Mouse

DailyMotion Confirms Credential Stuffing Attack

Credential Stuffing is a type of cyber attack that helps hackers to gain illegal access over your accounts on different websites. Hackers rely on the different combinations of usernames and passwords that are leaked from major security and data breaches.

DailyMotion has sent out emails to affected users informing them about the credential stuffing attack. The video sharing platform has also stated that the security team discovered the credential stuffing attack and took the necessary steps to completely block it.

Dailymotion quickly logged out affected users and started the password reset procedure. The email sent out to affected users also included a link that helped users to regain access to their accounts. Furthermore, Dailymotion has also informed CNIL (Commission nationale de l’informatique et des libertés), about the attack in accordance with Europe’s GDPR laws.

Lastly, it’s worth noting that only a limited number of accounts were affected by the credential Stuffing Attack. Consequently, if you didn’t receive any email from DailyMotion your account is completely safe and secure.

---

How To Safeguard Your Online Accounts

Data breaches and credential stuffing attacks are nothing new. These attacks affect many users on different websites and social media platforms that securely store our personal data. In fact, around two weeks ago Reddit announced that hackers gained illegal access to some accounts by relying on a credential stuffing attack.

Using different passwords for different websites and social media platforms can definitely help you to safeguard your account against credential stuffing attacks. Furthermore, if the service allows you can 2FA and provide an extra layer of protection against data breaches.

A new AI could stop users from sharing their Netflix passwords with others

Synamedia, a UK company, is offering a new artificially intelligent (AI) service that will help, especially pay-TV operators and video streaming platforms, to track shared passwords. The company is currently showcasing the solution at the Consumer Electronics Show (CES) 2019 in Las Vegas.

Netflix, Amazon Video, HBO Now, for instance, are some of the popular video streaming services as of now.

The service, called Credentials Sharing Insights, uses AI, behavioral analytics and machine learning, which identifies, monitors and analyzes credentials sharing activity across streaming accounts. In other words, it will keep tabs on casual password sharing between friends and family as well as criminal enterprises or individuals who want to make money by reselling login credentials of payment channels or streaming services.

“The way you secure OTT is evolving,” said Jean Marc Racine, CPO and GM EMEA of Synamedia, explained in an interview to Variety. In the past, cable TV operators largely depended on secured devices, such as locked down devices and smart cards to decrypt satellite TV.

However, with the content transitioning to streaming, operators are finding ways to make things simpler for end consumers. “Passwords are easy to share,” he argued.

How does the service work?

Synamedia’s Credential Sharing Insights service analyzes streaming data from all its users. It will train the AI-based system on factors such as location from where an account is being accessed from, what time it’s used and for what duration, the content being watched, which device is being used, so on and so forth.

For example, the service can determine whether users are viewing at their main home and a holiday home, or whether they have shared credentials with friends or grown-up children who live away from home. In the case of the latter, these users will be offered a premium shared account service that includes a pre-authorized level of password sharing and a higher number of concurrent users.

The service provider or platform then gets a probability score, where the system would classify users between scores of 1 to 10, where “1” would indicate that this user is unlikely to share their password, and “10” would represent a user who has high chances of sharing that password.

“Casual credentials sharing is becoming too expensive to ignore,” said Racine. “Our new solution gives operators the ability to take action. Many casual users will be happy to pay an additional fee for a premium, shared service with a greater number of concurrent users. It’s a great way to keep honest people honest while benefiting from an incremental revenue stream.”

Available as a cloud or on-premise offering, Synamedia Credentials Sharing Insight is already in trials with a number of pay-TV operators.

Media research firm Magid suggests that 26% of millennials share passwords for video streaming services, while consulting firm, Parks Associates predicts $9.9 billion of pay-TV revenues and $1.2 billion of OTT revenues will be lost to credentials sharing by the year 2021.

AT&T, Comcast, Disney, Verizon, and Sky are some of the biggest names, who are currently using Synamedia Credentials Sharing Insight service.

Don’t download WhatsApp Gold, as it’s a scam; here’s what you need to do

Look who’s back – the WhatsApp Gold feature – that had become viral in 2016. This feature tricked users into downloading ‘WhatsApp Gold’, an apparently ‘exclusive’ version of the app, on their smartphones which was actually a malware through a given link. Apparently, the WhatsApp Gold scam has resurfaced and started circulating on the internet.

While the original scam fooled users to install malware in the form of ‘WhatsApp Gold’, the new scam is in the form of a message warning users about a virus. The said video “Martinelli” will reportedly install malware in the user’s phone and hack it within 10 seconds of viewing the downloaded video.

The hoax message shared by WhatsApp users read, “Today the radio was talking about WhatsApp Gold and it is true. There is a video that will be released tomorrow on WhatsApp and is called Martinelli. Do not open it. Enter your phone and nothing you do will fix it. Spread the message if you know someone. If you receive a message to update Whatsapp Gold Do not open it! They just announced that the virus is serious. Send it to everyone.”

The message also warns users about a real WhatsApp Gold scam in order to make the message more genuine. However, nothing such as ‘Martinelli’ video exists, nor does the message have any download link to malicious sites. Although there were cases of the WhatsApp Gold scam, the Martinelli video is purely a hoax.

It is important to note that WhatsApp Plus and WhatsApp Gold are not applications developed by WhatsApp. Also, WhatsApp installs updates automatically through the app itself and not through download links. Hence, if users are receiving requests to manually install an update, it is suggested to ignore and delete such messages immediately.

Samsung phone users complain that they cannot delete the Facebook app

Some Samsung smartphone users were in for a shock when they discovered that they were unable to delete the Facebook app from their devices, according to a report by Bloomberg.

Users took to forums such as the Android Central to share their experiences while trying to delete the pre-installed Facebook app. Some users reported that when they tried to remove the app from their devices, it gave them options such as “Disable” or “Force Stop” the app, but not “Uninstall”.

While many smartphones come with some pre-loaded apps, such as email and messenger clients, or other services, the phone manufacturers these days have also started including pre-loaded apps like Facebook, Twitter, Amazon, YouTube, and others on their devices.

Samsung too has few smartphones that come pre-installed with Facebook apps and the company has also released several apps that link its devices to Facebook. For example, Samsung Mobile app and the Galaxy S4 app collect personal information about you and your friends on Facebook.

According to a Facebook spokesperson, once the pre-installed Facebook app is disabled, it acts like it’s been deleted and doesn’t collect data or send any information back to its servers, reports Bloomberg. In other words, once the user has disabled the Facebook app, it stops running.

Neither Samsung nor Facebook has commented on the issue faced by Samsung users.

NSA will release a free open source reverse engineering tool ‘GHIDRA’

The U.S. National Security Agency (NSA) will be releasing a free open source reverse engineering tool for public use in a session at the RSA conference 2019 in San Francisco titled “Come Get Your Free NSA Reverse Engineering Tool!”

For the unaware, NSA has until now officially shared its own software tools only with government agencies, secret services, and other countries.

Dubbed as GHIDRA, the software reverse engineering framework is developed in Java and has a graphical user interface (GUI). It is available for Windows, macOS, and Linux. However, in order to use the tool, the system is required to run Java 1.7.

“NSA has developed a software reverse engineering framework known as GHIDRA, which will be demonstrated for the first time at RSAC 2019,” states the RSAConference session description. “An interactive GUI capability enables reverse engineers to leverage an integrated set of features that run on a variety of platforms including Windows, Mac OS, and Linux and supports a variety of processor instruction sets. The GHIDRA platform includes all the features expected in high-end commercial tools, with new and expanded functionality NSA uniquely developed, and will be released for free public use at RSA.”

GHIDRA includes a disassembler that breaks down executable files into assembler code, which in turn can be read and examined by humans. It can be utilized to analyze binary files used by programs, as well as malware, that runs on different operating systems such as Windows, macOS, Linux as well as mobile platforms like Android and iOS.

Spoiler – it's a lot like IDA except slower (written in Java), its best feature is an architecture-agnostic C decompiler (uses a p-code translation layer) – not sure how many architectures the open source release will support. I have a bunch of friends that use it.

— e * v * m (@evm_sec) January 3, 2019

Apparently, the existence of GHIDRA has never officially been a secret, until it was first publicly released by WikiLeaks in CIA Vault 7 leaks in March 2017. Developed back in the early 2000s, the tool has been used extensively ever since, including outside the US and several other law enforcement agencies.

GHIDRA is expected to be released soon on NSA’s open source repository at https://code.nsa.gov/ and also on the associated GitHub account.