IT Security Newsletter

IT Security Newsletter - 12/4/2019

Written by Cadre | Wed, Dec 4, 2019

HackerOne breach lets outside hacker read customers’ private bug reports

As a leading vulnerability reporting platform, HackerOne has paid hackers more than $23 million on behalf of more than 100 customers, including Twitter, Slack, and the US Pentagon. The company’s position also gives it access to unimaginable amounts of sensitive data. Now, the company has paid a $20,000 bounty out of its own pocket after accidentally giving an outside hacker the ability to read and modify some customer bug reports.

Adobe discloses Magento Marketplace data breach

The personal information of customers and sellers with the Magenta Marketplace has been compromised after a third-party exploited a flaw in the Adobe-owned e-commerce platform. Last week, an "unauthorised third-party" gained access to user data such as username, name, email address, billing and shipping address information, billing and shipping phone number, and some commercial information.

The Great Cannon DDoS Tool Used Against Hong Kong Protestors’ Forum

The Great Cannon Distributed Denial of Service (DDoS) tool was deployed again to launch attacks against the LIHKG social media platform used by Hong Kong protesters to coordinate during this year's anti-extradition protests. Attackers use the Great Cannon to consume the resources of a targeted website outside the Great Firewall of China (GFW) with superfluous web traffic coming from Chinese users who had their insecure HTTP connections injected with malicious JavaScript code when visiting insecure sites. 

Dead Netflix accounts reactivated by hackers

Hackers have exploited Netflix's data retention policies to reactivate cancelled customer subscriptions and steal their accounts. Former subscribers say they noticed their accounts had been reinstated when they were charged a monthly fee, months after cancellation. The hackers can log in to dormant accounts and reactivate them without knowing users bank details, according to the BBC. This is due to the streaming service storing customer data, including billing information, for ten months after cancellation.

Notorious spy tool taken down in global operation

Law enforcement authorities in a number of countries have broken up a cybercriminal operation that peddled a notorious Remote Access Trojan (RAT) capable of giving anyone with ill intentions total control over compromised machines, according to announcements by Europol, the United Kingdom’s National Crime Agency (NCA) and the Australian Federal Police (AFP).

Krebs on Security: The iPhone 11 Pro’s Location Data Puzzler

One of the more curious behaviors of Apple’s new iPhone 11 Pro is that it intermittently seeks the user’s location information even when all applications and system services on the phone are individually set to never request this data. Apple says this is by design, but that response seems at odds with the company’s own privacy policy.

Mozilla locks nosy Avast, AVG extensions out of Firefox store over web privacy

Adblock Plus founder Wladimir Palant confirmed this week Mozilla has taken down the Avast Online Security and Avast-owned AVG Online Security extensions he reported to the browser maker, claiming the code was snooping on users' web surfing. The problem, as Palant has been documenting on his blog for some time, is that the extensions may go well beyond their needed level of access to user information to do their advertised functions.

Siemens Offers Workarounds for Newly Found PLC Vulnerability

Siemens recently issued a security advisory with workarounds and mitigations for a vulnerability uncovered by researchers in its S7-1200 programmable logic controllers (PLCs) that could be used to bypass a firmware integrity check to load malware or hijack the industrial processes of the devices. Researchers from Ruhr University Bochum in Germany found an undocumented hardware-based special access feature while studying its bootloader, which handles software updates and verifies the integrity of the PLC's firmware when the device starts up.