Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label API Bug. Show all posts
Vulnerability Disclosure
API Bug Deliniea Secret Server Flaw Vulnerabilities and Exploits Vulnerability Disclosure

Navigating Vulnerability Disclosure: Lessons from Delinea’s Secret Server Flaw

Lessons from Delinea’s Secret Server Flaw

Recently, an incident involving Delinea’s Secret Server SOAP API highlighted the challenges faced by both parties in the disclosure process.

Vulnerability Details

A major flaw in Delinea's Secret Server SOAP API was discovered this week, prompting security professionals to rush to implement a fix. However, a researcher claims he contacted the privileged access management provider weeks ago to notify them of the flaw, only to be informed he was not authorized to file a case.

Vendor Response

Delinea first revealed the SOAP endpoint issue on April 12. The next day, Delinea teams released an automatic remedy for cloud deployments and a download for on-premises Secret Servers. But Delinea was not the first to sound the alarm.

The vulnerability, which has yet to be issued a CVE, was first publicly exposed by researcher Johnny Yu, who presented a full study of the Delinea Secret Server issue and stated that he had been attempting to contact the vendor since February 12 to responsibly disclose the bug. After working with Carnegie Mellon University's CERT Coordination Center and seeing no reaction from Delina for weeks, Yu decided to publish his findings on February 10.

Silence and Questions

The lack of information regarding the reaction indicates "issues" with Delina's patching protocols, according to Callie Guenther, senior manager of threat research at Critical Start. However, she emphasizes that the crushing weight of vulnerability management is harming everyone.

The National Institute of Science and Technology (NIST) recently stated that it is unable to keep up with the number of vulnerabilities submitted to the National Vulnerability Database and has requested assistance from both the government and the commercial sector.

Lessons Learned: How to Resolve this Situation?

1. Inclusivity Matters

Vendors must revisit their bug submission policies. Excluding independent researchers like Yu can hinder the discovery of critical flaws. A more inclusive approach—one that welcomes input from all corners—can only strengthen our collective security posture.

2. Communication Is Key

Prompt communication is essential. When researchers encounter vulnerabilities, they need a clear channel to report them. Vendors should actively engage with the security community, acknowledge submissions promptly, and provide transparent timelines for fixes.

3. Transparency Builds Trust

Delinea’s delayed response eroded trust. Transparency about the vulnerability’s impact, the timeline for resolution, and the steps taken to mitigate risk fosters goodwill. Vendors should be open about their processes and demonstrate commitment to security.

4. Collaboration Over Competition

Researchers and vendors share a common goal: securing systems. Rather than racing against each other, they should collaborate. A cooperative approach benefits everyone—vendors get timely fixes, and researchers contribute to a safer digital ecosystem.

Read more »
Vulnerabilities and Exploits
API Bug Black hat Code Execution Flaw PoC Exploit Code TrickBoot UEFI Bootkit UEFI Firmware Vulnerabilities and Exploits

LogoFAIL: UEFI Vulnerabilities Unveiled

The discovery of vulnerabilities is a sharp reminder of the ongoing conflict between innovation and malevolent intent in the ever-evolving field of cybersecurity. The tech community has been shaken by the recent discovery of LogoFAIL, a set of vulnerabilities hidden in the Unified Extensible Firmware Interface (UEFI) code that could allow malicious bootkit insertion through images during system boot.

Researchers have delved into the intricacies of LogoFAIL, shedding light on its implications and the far-reaching consequences of exploiting image parsing vulnerabilities in UEFI code. The vulnerability was aptly named 'LogoFAIL' due to its origin in the parsing of logos during the boot process. The severity of the issue is evident from the fact that it can be exploited to inject malicious code, potentially leading to the deployment of boot kits — a type of malware capable of persistently infecting the system at a fundamental level.

The vulnerability was first brought to public attention through a detailed report by Bleeping Computer, outlining the specifics of the LogoFAIL bugs and their potential impact on system security. The report highlights the technical nuances of the vulnerabilities, emphasizing how attackers could exploit weaknesses in UEFI code to compromise the integrity of the boot process.

Further exploration of LogoFAIL is presented in a comprehensive set of slides from a Black Hat USA 2009 presentation by researcher Rafal Wojtczuk. The slides provide an in-depth analysis of the attack vectors associated with LogoFAIL, offering valuable insights into the technical aspects of the vulnerabilities.

In a more recent context, the Black Hat Europe 2023 schedule includes a briefing on LogoFAIL, promising to delve into the security implications of image parsing during system boot. This presentation will likely provide an updated perspective on the ongoing efforts to address and mitigate the risks that LogoFAIL poses.

The gravity of LogoFAIL is underscored by additional resources such as the analysis on binarly.io and the UEFI Forum's document on firmware security concerns and best practices. Collectively, these sources highlight the urgency for the industry to address and remediate the vulnerabilities in the UEFI code, emphasizing the need for robust security measures to safeguard systems from potential exploitation.

Working together to solve these vulnerabilities becomes critical as the cybersecurity community struggles with the consequences of LogoFAIL. The industry must collaborate to establish robust countermeasures for the UEFI code, guaranteeing system resilience against the constantly changing cyber threat environment.


Read more »
Unauthorized access
Android Applications API Bug Data Breach Private Information T-Mobile Technical Glitch Unauthorized access

T-Mobile App Glitch Exposes Users to Data Breach

A recent T-Mobile app bug has exposed consumers to a severe data breach, which is a disturbing revelation. This security hole gave users access to sensitive information like credit card numbers and addresses as well as personal account information for other users. Concerns regarding the company's dedication to protecting user data have been raised in light of the event.

On September 20, 2023, the problem reportedly appeared, according to reports. Unauthorized people were able to examine a variety of individual T-Mobile customer's data. Along with names and contact information, this also included extremely private information like credit card numbers, putting consumers at risk of loss of money. 

T-Mobile was quick to respond to the incident. A company spokesperson stated, "We take the security and privacy of our customers very seriously. As soon as we were made aware of the issue, our technical team worked diligently to address and rectify the glitch." They assured users that immediate steps were taken to mitigate the impact of the breach.

Security experts have highlighted the urgency of the situation. Brian Thompson, a cybersecurity analyst, emphasized, "This incident underscores the critical importance of robust security protocols, particularly for companies handling sensitive user data. It's imperative that organizations like T-Mobile maintain vigilant oversight of their systems to prevent such breaches."

The breach not only puts user information at risk but also raises questions about T-Mobile's data protection measures. Subscribers trust their service providers with a wealth of personal information, and incidents like these can erode that trust.

T-Mobile has advised its users to update their app to the latest version, which contains the necessary patches to fix the glitch. Additionally, they are encouraged to monitor their accounts for any unusual activities and report them promptly.

This incident serves as a stark reminder of the ever-present threat of data breaches in our digital age. It reinforces the need for companies to invest in robust cybersecurity measures and for users to remain vigilant about their personal information. In an era where data is more valuable than ever, safeguarding it should be of paramount importance for all.
Read more »
Sensitive data
API Bug Breached Data Breach Duolingo Duolingo Data Breach JSON Personal Data Sensitive data

Duolingo Data Breach: Hackers Posts Scrapped Data on Hacking Forum


After Discord’s data breach that resulted in its temporary halt in operations, the popular language learning app – Duolingo is facing a data breach.

An X post (previously tweeted) by user @vx-underground stated that a threat actor scraped data of over 2.6 million Duolingo users and posted it on the latest version of the hacking forum ‘Breached.’ BleepingComputer confirmed the breach in its recent post.

Apparently, the hackers gathered the data by manipulating existing vulnerabilities present in the Duolingo API, enabling access to user’s personal data, contact details, addresses, and much more, all by sending a valid email to the API.

The hackers further succeeded in finding active Duolingo users by feeding millions of email addresses to the vulnerable API. The email IDs were then used to create a dataset that contained public and non-public information. As an alternative, it is also feasible to supply a username to the API in order to obtain JSON output that contains sensitive user information.

But this is not the first time that this information has surfaced online. Falcon Feeds raised awareness of this problem via an X post in January. The scraped database was offered for sale for $1,500 on a previous iteration of the Breached hacker forum. Personal information about individuals, including email addresses, phone numbers, photographs, privacy settings, and much more, was revealed in the data.

Earlier, Duolingo had confirmed the data breach to TheRecord, assuring that it was investigating the issue. However, they did not mention that among the data was the private information of its users.

The most worrying aspect of this problem is that the corrupted API is still publicly accessible on the internet even though Duolingo first became aware of it in January. And, regrettably, this is not unexpected. Since most scraped data involves already-available information and is not the simplest to assemble into a credible threat, businesses frequently tend to ignore it.

In case of Duolingo, the breached data also involved sensitive data, that was not available publicly. While Duolingo is yet to address the issue, the most a user can do in this situation is modify their login credentials and/or delete their Duolingo accounts.     

Read more »
Vulnerabilities and Exploits
Airline Airline rewards API Bug Hackers loyality points Travel reward programs Vulnerabilities and Exploits

Hackers Have Scored Unlimited Airline Miles, Targeting One Platform


TRAVEL REWARDS PROGRAMS, such as those provided by hotels and airlines, highlight the unique benefits of joining their club over others. However behind the scenes, several of these programs—including Delta SkyMiles, United MileagePlus, Hilton Honors, and Marriott Bonvoy—share the same digital infrastructure. The business Points, which offers a variety of services including a comprehensive application programming interface (API), provides the backend.

In a new finding, a group of security researcher discovered that the vulnerabilities in the Point.com API are most likely exploited to expose customer data, steal customers’ “loyalty currency,” (such as miles) or the Points global administration accounts in order to acquire control over the entire program.

About the Vulnerabilities

The researchers discovered a vulnerability that involved a manipulation that enabled them to move between internal sections of the Points API infrastructure and then query it for incentive program client orders. 22 million order records, which include information like customer rewards account numbers, addresses, phone numbers, email addresses, and partially completed credit card numbers, have been found in the system. A hacker could not just dump the entire data store at once since Points.com set limits on how many responses the system could provide at once. However, the researchers point out that this would have made it possible for the threat actor to look up for certain people of interest or to gradually drain data from the system over time.

Another bug found was apparently an API configuration issue that could allow a threat actor to enable account authorization token for a user with only their last names and reward numbers. These two pieces of information might have been obtained through earlier hacks or might have been gained by using the first weakness. By controlling client accounts and transferring miles or other reward points to themselves using this token, attackers might deplete the victim's accounts.

The researchers also noted that the two vulnerabilities shared similarities with the other bugs that were discovered earlier, one that impacted the Virgin Red and the other affected the United MileagePlus. However, these bugs too were patched by Points.com.

Most importantly, the researchers discovered a flaw in the Points.com global administration website, where an encrypted cookie issued to each user had been encrypted with a secret phrase "secret" itself, making it vulnerable. The researchers could essentially assume god-like ability to access any Points reward system and even offer accounts limitless miles or other perks by guessing this. They could then decrypt their cookie, reassign themselves global administrator credentials for the website, and re-encrypt their cookie.

Moreover, the researchers assured that their fixed indeed do their jobs right and claimed that Points were in fact very prompt and cooperative in addressing the disclosures.  

Read more »
User Privacy
API Bug Canada Cyber Security Databases GitHub Malicious actor SIM Telecom Firm User Privacy

Canadian Telecom Provider Telus is Reportedly Breached

 

One of Canada's biggest telecommunications companies, Telus, is allegedly investigating a system breach believed to be fairly severe when malicious actors exposed samples of what they claimed to be private corporate information online.

As per sources, the malicious actors posted on BreachForums with the intention of selling an email database that claimed to include the email addresses of every Telus employee. The database has a $7000 price tag. For $6,000, one could access another database purported to provide payroll details for the telecom companies' top executives, including the president.

A data bundle with more than 1,000 private GitHub repositories allegedly belonging to Telus was also offered for sale by the threat actor for $50,000. A SIM-swapping API was reportedly included in the source code that was for sale. SIM-swapping is the practice of hijacking another person's phone by switching the number to one's own SIM card.

Although the malicious actors have described this as a Complete breach and have threatened to sell everything connected to Telus, it is still too early to say whether an event actually happened at TELUS or whether a breach at a third-party vendor actually occurred.

A TELUS representative told BleepingComputer that the company is looking into accusations that some information about selected TELUS team members and internal source code has leaked on the dark web.

The Telus breach would be the most current in recent attacks on telecom companies if it occurred as the malicious actors claimed. Three of the biggest telecommunications companies in Australia, Optus, Telestra, and Dialog, have all been infiltrated by attackers since the beginning of the year.

Customer data was used in a cyberattack that affected the Medisys Health Group business of Telus in 2020. The company claimed at the time that it paid for the data and then securely retrieved it. Although TELUS is still keeping an eye on the potential incident, it has not yet discovered any proof that corporate or retail customer data has been stolen.



Read more »
Windows Defender
API Bug Encryption malware Ransomware Attacks. Software Windows Defender

Conti Source Code & Everything API Employed by Mimic Ransomware

A new ransomware variant known as Mimic was found by security researchers, and it uses the Windows 'Everything' file search tool's APIs to scan for files that should be encrypted.

The virus has been "deleting shadow copies, terminating several apps and services, and abusing Everything32.dll methods to query target files that are to be encrypted," according to the first observation of it in June 2022.

What is Mimic ransomware?

The ransomware payload for Mimic is contained in a password-protected package that is presented as Everything64.dll and dropped by the executable Mimic along with other components. Additionally, it contains tools for disabling valid sdel binaries and Windows Defender.

Mimic is a flexible strain of ransomware that may use command-line options to target specific files and multi-processor threads to encrypt data more quickly. The victim of a mimic ransomware attack first receives an executable, most likely via email. This executable loads four files onto the target machine, including the primary payload, auxiliary files, and tools to turn off Windows Defender.

The popular Windows filename search engine 'Everything' was created by Voidtools. The tool supports real-time updates and is lightweight and speedy, using few system resources. According to Trend Micro, this combination of several active threads and the way it abuses Everything's APIs enables it to operate with little resource consumption, resulting in a more effective assault and execution.

Although Mimic is a new strain with unknown activity, the developers' use of the Conti builder with the Everything API demonstrates their skill as software engineers and their awareness of how to accomplish their objectives.



Read more »
User Privacy
API Bug Cyber Crime Have I Been Pwned Ransomware Attacks. Security flaw Twitter User Privacy

Hackers Expose Credentials of 200 million Twitter Users

Researchers suggest that a widespread cache of email addresses related to roughly 200 million users is probably a revised version of the larger cache with duplicate entries deleted from the end of 2022 when hackers are selling stolen data from 400 million Twitter users.

A flaw in a Twitter API that appeared from June 2021 until January 2022, allowed attackers to submit personal details like email addresses and obtain the corresponding Twitter account. Attackers used the vulnerability to harvest information from the network before it could be fixed. 

The bug also exposed the link between Twitter accounts, which are frequently pseudonymous, numbers and addresses linked to them, potentially identifying users even if it did not allow hackers to obtain passwords or other sensitive data like DMs. 

The email addresses for a few listed Twitter profiles were accurate, according to the data that Bleeping Computer downloaded. It also discovered that the data had duplicates. Ryushi, the hacker, asked Twitter to pay him $200,000 (£168,000) in exchange for providing the data and deleting it. The information follows a warning from Hudson Rock last week regarding unsubstantiated claims made by a hacker that he had access to the emails and phone numbers of 400 million Twitter users.

Troy Hunt, the founder of the security news website Have I Been Pwned, also investigated the incident and tweeted his findings "Acquired 211,524,284 distinct email addresses; appears to be primarily what has been described," he said. 

The social network has not yet responded to the enormous disclosure, but the cache of information makes clear how serious the leak is and who might be most at risk as a consequence. Social media companies have consistently and quickly minimized previous data scrapes of this nature and have dismissed them as not posing substantial security risks for years.

Read more »
Subscribe to: Posts (Atom)