This week, Google Paid Out $3.4 Million for Vulnerabilities Reported in 2018, Hackers Target WordPress Sites via WP Cost Estimation Plugin, Facebook paid $25,000 for CSRF exploit that leads to Account Takeover, and PoC Exploit Code for Recent Container Escape Flaw in runc Published Online! Jason Wood from Paladin Security joins us for expert commentary on …!
1) Google Paid Out $3.4 Million for Vulnerabilities Reported in 2018 – Google revealed that it paid out a total of $3.4 million for flaws reported in 2018 by researchers through its Vulnerability Reward Program (VRP). The $3.4 million was awarded for 1,319 reports submitted by 317 researchers from 78 countries. The largest single reward was $41,000 and $181,000 was donated to charity. Half of the awards, $1.7 million, were for flaws affecting Android and Chrome. In 2017, Google paid out a total of $2.9 million, roughly $2.2 million for Android and Chrome flaws.
2) Hackers Target WordPress Sites via WP Cost Estimation Plugin – Malicious actors have been hacking WordPress websites by exploiting vulnerabilities in a fairly popular plugin called WP Cost Estimation & Payment Forms Builder. The plugin, developed by Loopus, allows WordPress website administrators to create cost calculators and payment forms. Malicious actors have been exploiting two vulnerabilities related to uploading and deleting files. The first flaw allows the upload of malicious PHP files with an apparently harmless extension. The second flaw allows attackers to delete arbitrary files. Both flaws were patched months ago, but since no security warning was issued, many users have not installed the updates and left their websites vulnerable to attacks.
3) Facebook paid $25,000 for CSRF exploit that leads to Account Takeover – Facebook paid a $25,000 bounty for a critical cross-site request forgery (CSRF) vulnerability that could have been exploited to hijack accounts simply by tricking users into clicking on a link. The flaw resides in the facebook.com/comet/dialog_DONOTUSE/ endpoint. By adding the argument ?url=XXXX, a POST request, with the CSRF token fb_dtsg added the the request body, a hacker can bypass CSRF protections and trick them into clicking a malicious URL. The flaw was fixed by FaceBook on January 31, 2019 and the bounty was paid on February 12, 2019.
4) Mega-crackers back with nearly 100 million new stolen data records – Last week we discussed that 620 million breached records from 16 sites were for sale on the dark web. But that was only phase 1. The hacker, whose identity isn’t known, released another 127 million records from 8 sites late last week and another 91 million records from another 8 sites over the weekend. To date, the hacker has revealed breaches at 30 companies, totaling about 841 million records. The common software in all 30 breaches is PostgreSQL, an open-source database project. PostgreSQL is “currently unaware of any patched or unpatched vulnerabilities” that could have caused the breaches.
5) Privilege Escalation Vulnerability Found in LG Device Manager – A privilege escalation vulnerability that allows attackers to elevate permissions to SYSTEM has been found in the LG Device Manager application for its laptops. The security hole, tracked as CVE-2019-8372, allows an attacker who already has non-admin access to the targeted device to abuse the Device Manager app to escalate privileges to SYSTEM. The flaw is within the low-level hardware access (LHA) kernel-mode driver, which includes IOCTL dispatch functions that can be used to read and write to arbitrary physical memory. When it is loaded, the device created by the driver is accessible to non-administrative users which could allow them to leverage those functions to elevate privileges. The issue was reported to LG on November 18, 2018 and the patch was released on February 13, 2019.
6) PoC Exploit Code for recent container escape flaw in runc published online – Last week we told you about the vulnerability, this week the exploit is available. The PoC exploit code for the container escape was published on GitHub, its execution requires root (uid 0) inside the container. The PoC code allows a malicious container to overwrite the host runc binary and gain root-level code execution on the host. This is why giving up root access to your containers is a horrible idea! Updates have been released or are being worked on across the container and cloud platform providers.
7) Kali Linux 2019.1 Released — Operating System For Hackers – Great news for hackers and penetration testers. Offensive Security has just released Kali Linux 2019.1, the first 2019 version of its Swiss army knife for cybersecurity professionals. This new version comes with the latest version of Metasploit , which “includes database and automation APIs, new evasion capabilities, and usability improvements throughout,” making it a more efficient platform for penetration testers.
That’s right folks, Apple is being hit with a class action lawsuit because of their 2-factor authentication setup! I saw this bit of news somewhere else online, but Graham Cluley has a pretty amusing blog post on it. What it boils down to is that a gentleman named Jay Brodsky has decided that Apple’s two-factor authentication system is just too burdensome for the world to bear.
Here are some of the highlights that Graham points out. First, the plaintiff alleges that Apple turned on two-factor authentication without his permission. I’ve got a lot of Apple devices and I seem to recall needing to turn this on explicitly. Perhaps I turned it on before this was possible??
Mr. Brodsky also complains that he has to remember his password and have access to a trusted device. Like Graham, I’m puzzled over this one. That’s pretty much the definition of two-factor authentication. Something you know, paired with something you have or are. Weird.
He has a number of other complaints as well. The process is a pain in the behind to use (which I’ve griped about to myself a couple of times), you can’t turn it off, and it takes so long that it causes economic damage. The economic damage one is lame. It doesn’t take that long to use unless I’ve lost my phone, my iPad, and my watch. Of course, he could just have his phone or computer and misplaced his phone somewhere. Maybe he spent 5 minutes looking around for it.
According to AppleInsider, Brodsky also alleges that Apple has violated the Computer Fraud and Abuse Act. As a response to all these unjust actions, Brodsky is demanding “All funds, revenues, and benefits Defendant has unjustly received as a result of its actions rightfully belong to Plaintiff and the Class.” So whatever money Apple has made off of their 2FA system belongs to Brodsky and any other user of Apple’s 2FA.
I’ve worked on security projects that have gotten some people very angry before. I remember one director being incredibly steamed that several large customers were requiring changes to our authentication system. I got to be the target of his ire due to me actually being available for it. But this is a bit absurd and stunning. Graham calls for someone to give Brodsky an Android device so he can settle down, but if he ever sees Google offering their 2FA his head is going to explode and he’ll say it’s collusion designed to take down the world’s economy!
I don’t have a clue how this one will play out in the courts. Amazingly enough, he has legal representation. I can only guess that this will end up in some kind of settlement and go away at some point. I doubt we’ll see any changes to Apple’s 2FA system and I certainly can’t see it turning into a situation where Apple has to “disgorge all of its ill-gotten gains to Plaintiff and other Class Members”. I guess their opinion is that the economic impact of passwords being easily guessed is much less than that of 2FA? I’m curious to see how it turns out.
Jason Wood – Founder; Primary Consultant, Paladin Security.
- RSA Conference 2019 is coming up March 4 – 8 in San Francisco! Go to rsaconference.com/securityweekly-us19 to register now using the discount code 5U9SWFD to receive $100 off a full conference pass! If you are interested in booking an interview or briefing with Security Weekly, please go to securityweekly.com/conferencerequest to submit your request! Submission deadline for interviews or briefings is February 22nd @ 3:00pm ET
- Join us April 1-3, at Disney’s Contemporary Resort for InfoSec World 2019 where you can connect and network with like-minded individuals in search of actionable information. Visit https://infosecworld.misti.com/ and use the registration code OS19-SECWEEK for 15% off the Main Conference or World Pass. If you are interested in booking an interview or briefing with Security Weekly, please go to securityweekly.com/conferencerequest to submit your request!
- SecureWorld Boston is hosting their 15th annual conference March 27-28 @ the Hynes Convention Center. Security Weekly Listeners save $100 off a full conference pass by visiting secureworldexpo.com and using the code ‘SecurityWeekly’
- OSHEAN is hosting RI Cybersecurity Exchange Day on March 13th at the O’Hare Academic Building at Salve Regina in Newport, RI! Register Now @ OSHEAN.org/events.